david ohsie - distinguished engineer, emc corporation
DESCRIPTION
Leveraging OWASP in Open Source Projects - CAS AppSec Working Group. David Ohsie - Distinguished Engineer, EMC Corporation Bill Thompson CISSP, CSSLP - Director IAM Practice, Unicon Aaron Weaver. Hosted by OWASP & the NYC Chapter. Central Authentication Service (CAS) - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/1.jpg)
David Ohsie - Distinguished Engineer, EMC CorporationBill Thompson CISSP, CSSLP - Director IAM Practice, UniconAaron Weaver
Leveraging OWASP in Open Source Projects - CAS AppSec Working Group
![Page 2: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/2.jpg)
Hosted by OWASP & the NYC Chapter
![Page 3: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/3.jpg)
Hosted by OWASP & the NYC Chapter
Central Authentication Service (CAS)
Simple, Flexible, Extensible Open SourceWeb Single Sign-On for the Enterprise
● Alfresco● Confluence● DokuWiki● Drupal● Google Apps● JIRA● Joomla!● Liferay● MediaWiki
● Moodle● OpenCMS● PeopleAdmin● Roller● Sakai● Twiki● uPortal● Wordpress● Zimbra
● Spring Security● Apache Shiro● Java CAS Client● .Net CAS Client● php CAS Client● mod_auth_cas● ASP to Zope
![Page 4: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/4.jpg)
Hosted by OWASP & the NYC Chapter
Central Authentication Service (CAS)
● CAS initially create by Shawn Bayern in 2001 at Yale
● CAS3 jointly designed and developed by Rutgers and Yale in 2005 as Jasig project
● Simple protocol, flexible architecture, wide deployment
![Page 5: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/5.jpg)
Hosted by OWASP & the NYC Chapter
Central Authentication Service (CAS)
But...is it secure? How do we know?
● Based on Kerberos● Wide deployment and many eye balls● Reports of dynamic scans from time to time● Maybe we should really check?
![Page 6: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/6.jpg)
Hosted by OWASP & the NYC Chapter
Central Authentication Service (CAS)
CAS AppSec Working Group - Jan 2013
• Joachim Fritschi
• Jérôme Leleu
• Misagh Moayyed
• Parker Neff
https://wiki.jasig.org/display/CAS/CAS+AppSec+Working+Group
• David Ohsie
• Andrew Petro
• Bill Thompson
• Aaron Weaver
![Page 7: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/7.jpg)
● Proactively work to improve the security posture
● Respond to potential vulnerabilities
● Produce artifacts that help potential CAS adopters evaluate the security of CAS
● Create and maintain recommendations on good security practices for deployments
Hosted by OWASP & the NYC Chapter
CAS AppSec Working Group Goals
![Page 8: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/8.jpg)
Hosted by OWASP & the NYC Chapter
![Page 9: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/9.jpg)
Hosted by OWASP & the NYC Chapter
Google pays coders to improve open-source security
![Page 10: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/10.jpg)
Hosted by OWASP & the NYC Chapter
Open Source software needs to be open on software security.
![Page 11: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/11.jpg)
Hosted by OWASP & the NYC Chapter
As an adopter or potential adopter I want to know how the project deals with security
![Page 12: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/12.jpg)
Hosted by OWASP & the NYC Chapter
Security can be a strong “selling” point!
![Page 13: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/13.jpg)
Hosted by OWASP & the NYC Chapter
How to avoid being one of the "73%" of WordPress sites vulnerable to attack
Or it can detract from your project
![Page 14: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/14.jpg)
Hosted by OWASP & the NYC Chapter
Vulnerability Handling Practices
![Page 15: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/15.jpg)
Hosted by OWASP & the NYC Chapter
![Page 16: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/16.jpg)
Hosted by OWASP & the NYC Chapter
OSS AppSec Program● Form a working group● OWASP Resources● Meet regularly● Make it easy to report vulnerabilities● Threat Analysis with Developers● Run security tools (ZAP, Static Code)
![Page 17: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/17.jpg)
Hosted by OWASP & the NYC Chapter
Contributors
● Use OWASP Resources and Libraries
● Threat Model● Work with security
researchers
![Page 18: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/18.jpg)
Hosted by OWASP & the NYC Chapter
Make it easy to report a vulnerability
● Security issue email address
● Provide a PGP Key
![Page 19: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/19.jpg)
Hosted by OWASP & the NYC Chapter
Static Code AnalysisIssues were found, prioritized and worked through false positives
![Page 20: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/20.jpg)
● What people think/say: “We probably don’t have any major security issues.”
● Threat analysis gives you a way to systematically analyze the possible threats against your system and rank them by potential impact.
● Threat analysis also gives adopters the information they need to analyze the deployment of your system in their environment.
Hosted by OWASP & the NYC Chapter
Threat analysis: Purpose
![Page 21: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/21.jpg)
● Decompose the application: Draw a dataflow diagram in order to enumerate the attack surfaces.
● For each attack surface, enumerate the threats to the system and rank them.
● For each threat, create a list of possible mitigations.
● More details: https://www.owasp.org/index.php/Application_Threat_Modeling
Hosted by OWASP & the NYC Chapter
Threat analysis: Methodology
![Page 22: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/22.jpg)
● Started with whiteboarding session at Apereo conference to produce initial DFD and threats
● Biweekly follow-up meeting via Webex
● Used STRIDE to help identify threats
● Results maintained on wiki page
● https://wiki.jasig.org/display/CAS/CAS+Threat+Modeling
Hosted by OWASP & the NYC Chapter
CAS Appsec Experience
![Page 23: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/23.jpg)
Hosted by OWASP & the NYC Chapter
CAS Context DFD
![Page 24: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/24.jpg)
Hosted by OWASP & the NYC Chapter
CAS Protocol DFD
Browser
CASServer
CASClient
(Agent)
Application
Username/Password+ Application Service URL
SSO Session Cookie (TGT)Application Service Ticket (ST)
HTTP(S) Request + ST
HTTP(S) + Optional Session Cookie
HTTPS
![Page 25: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/25.jpg)
Hosted by OWASP & the NYC Chapter
STRIDE
Threat Security ControlSpoofing Authentication
Tampering Integrity
Repudiation Non-Repudiation
Information Disclosure Confidentiality
Denial of Service Availability
Elevation of Privelege Authorization
![Page 26: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/26.jpg)
● Identifier: PC_3● Category: Information Disclosure● Threat: The pgtIou and pgtId are send as GET
parameters, which can be a problem as they might be stored in logs or indexed in internal search engines...
● Mitigation: Never log the GET parameters on the proxy callback url. Though, it might be not sufficient. Should we change the CAS protocol in the next revision (v4.0) to POST these parameters ?
Hosted by OWASP & the NYC Chapter
CAS Appsec Sample Threat
![Page 27: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/27.jpg)
● Easy: Security Guide Contents○ Disable http○ How to write a safe CAS client/plugin○ Securing the ticket registry
● Harder: Change the code○ Secure-by-default○ Encrypted/signed ticket registry
Hosted by OWASP & the NYC Chapter
Classifying Remediation
![Page 28: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/28.jpg)
● Classified 19 threat against the system● Generated 10 proposals● One proposal (secure-by-default) integrated into CAS
4.0● Paraphrase from a CAS committer:
○ “I thought when we started that we would not find any problems, but now I see that there are lots of improvements to be made”
Hosted by OWASP & the NYC Chapter
CAS Threat modeling results
![Page 29: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/29.jpg)
● Even in a security project, features are favored over security!
● Difficult to get consistent participation (although a core of contributors have kept it up; thank you, Jérôme Leleu and co-presenters!)
● Difficult to get changes prioritized and into the project
Hosted by OWASP & the NYC Chapter
Challenges
![Page 30: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/30.jpg)
Hosted by OWASP & the NYC Chapter
Application Security Professionals
Find an open source project and volunteer!
![Page 31: David Ohsie - Distinguished Engineer, EMC Corporation](https://reader036.vdocuments.net/reader036/viewer/2022062812/568162ca550346895dd3569a/html5/thumbnails/31.jpg)
Hosted by OWASP & the NYC Chapter
Thanks!David Ohsie
Bill Thompson, CISSP, CSSLPIAM Practice Director, [email protected]
Aaron Weaver