webappsec @ ibuildings in 2014
Post on 18-Oct-2014
943 views
DESCRIPTION
Internal workshop in 2014 on improving Web Application Security. Talks about the OWASP Top 10, a Secure Software Development Lifecycle and OWASP ASVSTRANSCRIPT
@ Ibuildings
Boy Baukema29th January 2014, Vlissingen
Web Application Security 2014
Wednesday, February 5, 14
Fear Uncertainty and Doubt (FUD)
2
Adobe / Apple / Drupal.org / Evernote / LinkedInFacebook / NYT / PHP.netJava 0-daysSSL BREACH
High Profile customers targets: ‣ AbuseHub‣MijnDomein‣RTLNieuws
Windows XP EOL in April ’14Wednesday, February 5, 14
What to do?
‣OWASP Top 10 2013
‣ Status (Secure) Software Development Lifecycle
‣OWASP ASVS 2013
‣OWASP ASVS Bingo!
3
Wednesday, February 5, 14
Security is a cross-cutting concern
'Thuisrouter directeur ook interessant voor hackers'
4
Wednesday, February 5, 14
OWASP Top 10 (2013) time!
5
Wednesday, February 5, 14
A1-Injection
6
‣ SQL Injection‣HTML Injection‣ XML Injection• XML External Entities (XXE)
‣ JavaScript Injection‣ CSS Injection
Wednesday, February 5, 14
A2-Broken Authentication and Session Management
‣ Session Fixation‣Missing Session Timeout‣ Login over HTTP‣Unprotected Password Reset
7
Wednesday, February 5, 14
HTTP Strict Transport Security
Strict-Transport-Security: ‣max-age=60000; ‣ includeSubDomains
8
Wednesday, February 5, 14
A3-Cross-Site Scripting (XSS)
‣ Stored‣Reflected‣DOM based
See Injection.
9
Wednesday, February 5, 14
Content-Security-Policy
Content-Security-Policy(-Report-Only): ‣ default-src 'none'; ‣ script-src https://cdn.mybank.net; ‣ style-src https://cdn.mybank.net; ‣ img-src https://cdn.mybank.net; ‣ connect-src https://api.mybank.com; ‣ frame-src 'self'‣ report-uri /my_amazing_csp_report_parser;
IE10+, FF4+, Chrome 14+, (iOS)Safari 5.1+, Android 4.4+http://caniuse.com/contentsecuritypolicy 10
Wednesday, February 5, 14
A4-Insecure Direct Object References
11
Wednesday, February 5, 14
A5-Security Misconfiguration
‣Out of date PHP version (PHP<5.3, <5.4 after July)‣ admin/admin‣ Stack traces‣ php.ini• max_execution_time= 0
• session.cookie_httponly = Off
• session.cookie_secure = Off
• allow_url_fopen = On
• See: PhpSecInfo
12
Wednesday, February 5, 14
A6-Sensitive Data Exposure
‣Unsalted passwords‣Unencrypted Credit Cards‣ Passwords / Session tokens over HTTP
13
Wednesday, February 5, 14
A7-Missing Function Level Access Control
14
Wednesday, February 5, 14
A8-Cross-Site Request Forgery (CSRF)
15
Wednesday, February 5, 14
A9-Using Components with Known Vulnerabilities
16
Wednesday, February 5, 14
A10-Unvalidated Redirects and Forwards
17
Wednesday, February 5, 14
BONUS: Clickjacking
18
Wednesday, February 5, 14
X-Frame-Options
DENYThe page cannot be displayed in a frame, regardless of the site attempting to do so.SAMEORIGINThe page can only be displayed in a frame on the same origin as the page itself.ALLOW-FROM uriThe page can only be displayed in a frame on the specified origin.
IE8+,Chrome 4+, FF 3.6+ Safari 4+ 19
Wednesday, February 5, 14
Secure Software Development LifeCycleSSDLC
20
Wednesday, February 5, 14
Secure Software Development Life Cycle
21Source: http://pentestmag.com/security-and-the-software-development-life-cycle/
Wednesday, February 5, 14
Requirements / Functional DesignThreat modeling
22
Security Requirements
Wednesday, February 5, 14
Architecture & Design / Technical Design‣Web App Review
23
Wednesday, February 5, 14
Development / Implementation
‣ Secure Coding Practices‣Whitebox Testing
24
Wednesday, February 5, 14
Development: Secure Coding Guidelines
‣Use only POST for credentials‣Notify users when a password reset occurs‣Re-authenticate users prior to performing critical
operations‣ Logout functionality should be available from all pages
protected by authorization ‣Generate a new session identifier on any re-
authentication‣ Logging controls should support both success and failure
of specified security events
25Source: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
Wednesday, February 5, 14
Development: (360) Code Reviews
26
Wednesday, February 5, 14
Testing
‣Greybox testing
27
Wednesday, February 5, 14
Deployment
‣Greybox security testing by third party
28
Wednesday, February 5, 14
Maintenance / SLA
‣Black box quarterly‣Grey box annually‣Monitoring‣ Security Patches
29
Wednesday, February 5, 14
Training‣Basic WebAppSec training‣ Secure Coding training‣QA & Testing training
30
Wednesday, February 5, 14
OWASP ASVS 2013
31
Wednesday, February 5, 14
Security Checklist
32
Wednesday, February 5, 14
Leveling up
33
Requirements:
164
136
47
Wednesday, February 5, 14
Scope
34
Wednesday, February 5, 14
Requirements
V1. AuthenticationV2. Session ManagementV3. Access ControlV4. Input ValidationV5. Cryptography (at Rest)V6. Error Handling and LoggingV7. Data Protection
35
V8. Communication SecurityV9. HTTP SecurityV10. Malicious ControlsV11. Business LogicV12. Files and ResourcesV13. Mobile
Wednesday, February 5, 14
An example
36
Wednesday, February 5, 14
Annotated ASVS 2013
37
Wednesday, February 5, 14
An AASVS Requirement has...
‣ Short Title‣ Long Title‣ Verification PASS‣ Verification FAIL‣ Verification Help‣ [Verification Help for PHP]‣ [Verification Help for Drupal]‣ [Verification Help for Symfony 2]‣Related Resources
38
Wednesday, February 5, 14
Security Audit Template
‣ Introduction• Target Of Verification
• Scope
• Confidentiality
‣Document History, TOC‣ Conclusions‣ V1 - V13‣ Appendix A: Source Code analysis‣ Appendix B: Third Party libraries
39
Wednesday, February 5, 14
Risk Rating
40Source: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Wednesday, February 5, 14
OWASP ASVS 2013 and the SSDLC
41
Wednesday, February 5, 14
FAQ
‣ So we must be fully ASVS compliant?‣ ...?
42
Wednesday, February 5, 14
ASVS BINGO!
43
Wednesday, February 5, 14
BINGO!
44
Wednesday, February 5, 14
Prizes
45
Wednesday, February 5, 14
Bootcamp
46
Wednesday, February 5, 14
Verify it
47
Wednesday, February 5, 14
Your Script for today
100 Fork the Template to your personal space.
220 Pop the ‘TODO’ stack of Requirements221 If no Requirement, GOTO 350230 Assign the Requirement (mark with your name).231 Verify Requirement.232 Report the results.240 Push Requirement in the ‘DONE’ stack241 GOTO 220
350 Review the DONE stack. 48
Wednesday, February 5, 14