2014 06-05-mozilla-afup

of 56 /56
AFUP/MOZILLA/OWASP Mee/ng @Mozilla Paris 5th June 2014 Sébas&en Gioria Sebas/[email protected] Chapter Leader & Evangelist OWASP France OWASP, the Life,the Universe and the ElePHPhants

Upload: sebastien-gioria

Post on 08-May-2015

535 views

Category:

Technology


0 download

DESCRIPTION

Meeting OWASP /AFUP du 5 Juin 2014

TRANSCRIPT

Page 1: 2014 06-05-mozilla-afup

AFUP/MOZILLA/OWASP    Mee/ng  @Mozilla  Paris  

5th  June  2014Sébas&en  Gioria  Sebas/[email protected]  Chapter  Leader  &  Evangelist  OWASP  France

OWASP,  the  Life,the  Universe  

and  the  ElePHPhants  

Page 2: 2014 06-05-mozilla-afup

2

Page 3: 2014 06-05-mozilla-afup

http://www.google.fr/#q=sebastien gioria

‣OWASP France Leader & Founder & Evangelist

‣Innovation and Technology @Advens && Application Security Expert

Twitter :@SPoint/@OWASP_France

2

‣Application Security group leader for the CLUSIF

‣Proud father of youngs kids trying to hack my digital life.

Page 4: 2014 06-05-mozilla-afup

Agenda

• Applica/on  Security  :  – where  we  are  (no  bullshit)  – where  we  are  (hopefully)  going  ?  

• Open  Web  Applica/on  Security  Project  ?  • Major  projects  you  can  use

4

Page 5: 2014 06-05-mozilla-afup

Why  Applica/on  Security  ?

54

Page 6: 2014 06-05-mozilla-afup

Why  Applica/on  Security  ?

54

Your Application has been Hacked

Page 7: 2014 06-05-mozilla-afup

Why  Applica/on  Security  ?

54

Your Application has been Hacked

YES

Page 8: 2014 06-05-mozilla-afup

Why  Applica/on  Security  ?

54

Your Application has been Hacked

NO

YES

Page 9: 2014 06-05-mozilla-afup

Why  Applica/on  Security  ?

54

Your Application

will be Hacked ;)

Your Application has been Hacked

NO

YES

Page 10: 2014 06-05-mozilla-afup

Why  Applica/on  Security  ?

54

Your Application

will be Hacked ;)

Your Application has been Hacked

YES

NO

YES

Page 11: 2014 06-05-mozilla-afup

Why  Applica/on  Security  ?

54

Your Application

will be Hacked ;)

Your Application has been Hacked

YES

NO

NO

YES

Page 12: 2014 06-05-mozilla-afup

Why  Applica/on  Security  ?

5

!Let Me take you on the right way 4

Your Application

will be Hacked ;)

Your Application has been Hacked

YES

NO

NO

YES

Page 13: 2014 06-05-mozilla-afup

Why  Applica/on  Security  ?

5

My Application will be hacked !

!Let Me take you on the right way 4

Your Application

will be Hacked ;)

Your Application has been Hacked

YES

NO

NO

YES

Page 14: 2014 06-05-mozilla-afup

Why  Applica/on  Security  ?

5

My Application will be hacked !

!Let Me take you on the right way 4

Your Application

will be Hacked ;)

Your Application has been Hacked

YES

NO

NO

YES

Next Step

Page 15: 2014 06-05-mozilla-afup

First  form  in  PHP

6

Page 16: 2014 06-05-mozilla-afup

First  form  in  PHP

6

Page 17: 2014 06-05-mozilla-afup

First  form  in  PHP

6

<?php      $email  =  $_REQUEST['email']  ;      $message  =  $_REQUEST['message']  ;  !    mail(  "[email protected]",  "Feedback  Form  Results",          $message,  "From:  $email"  );      header(  "Loca/on:  hgp://www.example.com/thankyou.html"  );  ?>

Page 18: 2014 06-05-mozilla-afup

7

Page 19: 2014 06-05-mozilla-afup

7

Page 20: 2014 06-05-mozilla-afup

7

Page 21: 2014 06-05-mozilla-afup

How  to  create  a  login  page  in  PHP  and  Mysql

8

Page 22: 2014 06-05-mozilla-afup

9

Page 23: 2014 06-05-mozilla-afup

9

<?php !define('DB_HOST', 'localhost'); !define('DB_NAME', 'practice');!define('DB_USER','root'); !define('DB_PASSWORD','');!!$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error()); !$db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error()); !/* $ID = $_POST['user']; $Password = $_POST['pass']; */!!function SignIn() {!! session_start(); //starting the session for user profile page!! if(!empty($_POST['user'])) //checking the 'user' name which is from Sign-In.html, is it empty or have some text !! { !! $query = mysql_query("SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysql_error());!! $row = mysql_fetch_array($query) or die(mysql_error());!! !! ! if(!empty($row['userName']) AND !empty($row['pass'])) !! ! {!! ! $_SESSION['userName'] = $row['pass']; !! ! ! echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";! ! ! } else { ! ! ! echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";! ! ! } ! ! } ! } !!if(isset($_POST['submit'])) !{! SignIn(); !} ?>!

Page 24: 2014 06-05-mozilla-afup

10

Page 25: 2014 06-05-mozilla-afup

10

Page 26: 2014 06-05-mozilla-afup

10

Page 27: 2014 06-05-mozilla-afup

Game  Over....

• Did  you  have  VoIP  Phone  ?    !

• Did  you  have  IP  Router  /  Broadband  box    ?    !

• Did  you  have  smartphone  ?  !

• Did  you  have  customers  /  partners  over  Internet  ?

11

Page 28: 2014 06-05-mozilla-afup

Anything  else  ?  

12

Page 29: 2014 06-05-mozilla-afup

We  are  living  in  a  Digital  environment,  in  a  Connected  World

v Most  of  websites  vulnerable  to  agacks  v Important  %  of  web-­‐based  Business  (Services,  Online  Store,  Self-­‐care,  Telcos,  SCADA,  ...)

Why  Applica/on  Security  ?  

Age  of  An/virus Age  of    Network  Security

Age  of    Applica/on  Security

13

Page 30: 2014 06-05-mozilla-afup

14(c)  Verizon  2014

Page 31: 2014 06-05-mozilla-afup

14(c)  Verizon  2014

Page 32: 2014 06-05-mozilla-afup

14(c)  Verizon  2014

Page 33: 2014 06-05-mozilla-afup

14(c)  Verizon  2014

Page 34: 2014 06-05-mozilla-afup

Who  win  ?  

15(c) WhiteHatSecurity 2013

Page 35: 2014 06-05-mozilla-afup

Vulnerabili/es  ?  

16(c)  WhiteHatSecurity  2013

Page 36: 2014 06-05-mozilla-afup

Mission  Driven

Nonprofit  |  World  Wide  |  Unbiased  !

OWASP  does  not  endorse  or  recommend  commercial  products  or  services

What  is  OWASP

17

Page 37: 2014 06-05-mozilla-afup

Community  Driven

30,000  Mail  List  Par/cipants  200  Ac/ve  Chapters  in  70  countries    

1600+  Members,  56  Corporate  Supporters    

What  is  OWASP

18

Page 38: 2014 06-05-mozilla-afup

200  Chapters,  1  600+  Members,  20  000+  Builders,  Breakers  and  Defenders

Around  the  World

19

Page 39: 2014 06-05-mozilla-afup

Quality  Resources

200+  Projects  15,000+  downloads  of  tools,  documenta/on  

What  is  OWASP

20

Page 40: 2014 06-05-mozilla-afup

Documenta&on

ToolsCode

50%

10% 40%

Quality  Resources

21

Page 41: 2014 06-05-mozilla-afup

Security  Lifecycle

22

Page 42: 2014 06-05-mozilla-afup

Security  Resources

23

Page 43: 2014 06-05-mozilla-afup

 NEWS  A  BLOG  

A  PODCAST  MEMBERSHIPS  MAILING  LISTS  A  NEWSLETTER  

APPLE  APP  STORE  VIDEO  TUTORIALS  

TRAINING  SESSIONS  SOCIAL  NETWORKING

24

Page 44: 2014 06-05-mozilla-afup

OWASP  Projects

25

Page 45: 2014 06-05-mozilla-afup

OWASP  Top10  2013

26

A1:  Injec&on

A2:  Viola&on  de  Ges&on  

d’authen&fica&on  et  de  session

A3:  Cross  Site  Scrip&ng  (XSS)

A4:Référence  directe  non  sécurisée  à  un  

objet

A5:  Mauvaise  configura&on  sécurité  

A6  :  Exposi&on  de  données  sensibles

A8:  Cross  Site  Request  Forgery  (CSRF)  

A10:    Redirec&ons    et  transferts  non  validés

A7:  Manque  de  contrôle  d’accès  fonc&onnel

A9:  U&lisa&on  de  composants  avec  des  vulnérabilités  connues

Page 46: 2014 06-05-mozilla-afup

OWASP  Top10  2013

26

A1:  Injec&on

A2:  Viola&on  de  Ges&on  

d’authen&fica&on  et  de  session

A3:  Cross  Site  Scrip&ng  (XSS)

A4:Référence  directe  non  sécurisée  à  un  

objet

A5:  Mauvaise  configura&on  sécurité  

A6  :  Exposi&on  de  données  sensibles

A8:  Cross  Site  Request  Forgery  (CSRF)  

A10:    Redirec&ons    et  transferts  non  validés

A7:  Manque  de  contrôle  d’accès  fonc&onnel

A9:  U&lisa&on  de  composants  avec  des  vulnérabilités  connues

ex-­‐A9(transport  non  sécurisé)  +  A7(Stockage  crypto)

Page 47: 2014 06-05-mozilla-afup

OWASP  Top10  2013

26

A1:  Injec&on

A2:  Viola&on  de  Ges&on  

d’authen&fica&on  et  de  session

A3:  Cross  Site  Scrip&ng  (XSS)

A4:Référence  directe  non  sécurisée  à  un  

objet

A5:  Mauvaise  configura&on  sécurité  

A6  :  Exposi&on  de  données  sensibles

A8:  Cross  Site  Request  Forgery  (CSRF)  

A10:    Redirec&ons    et  transferts  non  validés

A7:  Manque  de  contrôle  d’accès  fonc&onnel

A9:  U&lisa&on  de  composants  avec  des  vulnérabilités  connues

ex-­‐A9(transport  non  sécurisé)  +  A7(Stockage  crypto)

Page 48: 2014 06-05-mozilla-afup

Developer  Cheat  Sheets  § PHP  Security  Cheat  Sheet  § OWASP  Top  Ten  Cheat  Sheet  § Authen/ca/on  Cheat  Sheet  § Cross-­‐Site  Request  Forgery  (CSRF)  Preven&on  Cheat  

Sheet  § Cryptographic  Storage  Cheat  Sheet  § Input  Valida/on  Cheat  Sheet  § XSS  (Cross  Site  Scrip&ng)  Preven&on  Cheat  Sheet  § DOM  based  XSS  Preven/on  Cheat  Sheet  § Forgot  Password  Cheat  Sheet  § Query  Parameteriza&on  Cheat  Sheet  § SQL  Injec&on  Preven&on  Cheat  Sheet  § Session  Management  Cheat  Sheet  § HTML5  Security  Cheat  Sheet  § Transport  Layer  Protec/on  Cheat  Sheet  § Web  Service  Security  Cheat  Sheet  § Logging  Cheat  Sheet  § JAAS  Cheat  Sheet

Mobile  Cheat  Sheets  § IOS  Developer  Cheat  Sheet  § Mobile  Jailbreaking  Cheat  Sheet  Drax  Cheat  Sheets  § Access  Control  Cheat  Sheet  § REST  Security  Cheat  Sheet  § Abridged  XSS  Preven/on  Cheat  Sheet  § Password  Storage  Cheat  Sheet  § Secure  Coding  Cheat  Sheet  § Threat  Modeling  Cheat  Sheet  § Clickjacking  Cheat  Sheet  § Virtual  Patching  Cheat  Sheet  § Secure  SDLC  Cheat  Sheet  § Web  Applica/on  Security  Tes/ng  Cheat  

Sheet  § Applica/on  Security  Architecture  Cheat  

Sheet

Cheat  Sheets

27

Page 49: 2014 06-05-mozilla-afup

Project  Leader:  Chris  Schmidt,  [email protected]  Purpose:  A  free,  open  source,  web  applica/on  security  control  library  that  makes  it  easier  for  programmers  to  write  lower-­‐risk  applica/ons  !!

!!!!!!!!!

hgps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Enterprise  Security  API

28

PHP Version : https://code.google.com/p/owasp-esapi-php/

Page 50: 2014 06-05-mozilla-afup

Project Leader: Abbas Naderi, [email protected]

Purpose:  OWASP  PHP  Security  Project  is  an  effort  by   a   group   of   PHP   developers   in   securing   PHP  web   applica/ons,   using   a   collec&on   of  decoupled  flexible   secure  PHP   libraries,  as  well  as  a  collec&on  of  PHP  tools.  

OWASP  PHP  Security  Project

29

hgps://www.owasp.org/index.php/OWASP_PHP_Security_Project

Page 51: 2014 06-05-mozilla-afup

Development   Guide:   comprehensive   manual   for   designing,   developing   and  deploying  secure  Web  Applica/ons  and  Web  Services  Code   Review   Guide:   mechanics   of   reviewing   code   for   certain   vulnerabili/es   &  valida/on  of  proper  security  controls  Tes/ng  Guide:  understand  the  what,  why,  when,  where,  and  how  of  tes/ng  web  applica/ons  !

!

hgps://www.owasp.org/index.php/Category:OWASP_Guide_Project  hgps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project  hgps://www.owasp.org/index.php/Category:OWASP_Tes/ng_Project

Guides

30

Page 52: 2014 06-05-mozilla-afup

Zed  Agack  Proxy

Project  Leader:  Simon  Bennegs  (aka  Psiinon),  [email protected]  Purpose:  The  Zed  Agack  Proxy  (ZAP)  provides  automated  scanners  as  well  as  a  set  of  tools  that  allow  you  to  find  security  vulnerabili/es  manually  in  web  applica/ons.  Last  Release:  ZAP  2.3.1  (21  May  2014)  !!

!!!!!!!!

hgps://www.owasp.org/index.php/OWASP_Zed_Agack_Proxy_Project 31

Page 53: 2014 06-05-mozilla-afup

Intended   to   help   soxware   developers   and   their   clients   nego/ate   important  contractual   terms  and  condi/ons   related   to   the   security  of   the   soxware   to  be  developed  or  delivered.  CONTEXT:  Most  contracts  are  silent  on  these  issues,  and  the  par/es  frequently  have  drama/cally  different  views  on  what  has  actually  been  agreed  to.    OBJECTIVE:   Clearly   define   these   terms   is   the   best   way   to   ensure   that   both  par/es  can  make  informed  decisions  about  how  to  proceed.  

hgps://www.owasp.org/index.php/OWASP_Secure_Soxware_Contract_Annex

The  OWASP  Secure  Soxware    Contract  Annex

32

Page 54: 2014 06-05-mozilla-afup

Dates

• RSSIA  Bordeaux  :  20  Juin  – HeartBleed  revisited    

• AppSec  Europe  2014  -­‐  Cambridge  :  !!!!!

• Java  User  Groupe  Lille  &  Paris    – Secure  Coding  for  Java    a  la  rentrée  2014  

• Club  27001  /Paris  -­‐  25  Septembre  2014  –Présenta/on  de  la  norme  ISO  27034

33

Page 55: 2014 06-05-mozilla-afup

Soutenir  l’OWASP

• Différentes  solu/ons  :    – Membre  Individuel  :  50  $  – Membre  Entreprise  :  5000  $  – Dona/on  Libre  

• Soutenir  uniquement    le  chapitre  France  :  – Single  Mee/ng  supporter    

• Nous  offrir  une  salle  de  mee/ng  !    • Par/ciper  par  un  talk  ou  autre  !    • Dona/on  simple    

– Local  Chapter  supporter  :    • 500  $  à  2000  $  

34

Page 56: 2014 06-05-mozilla-afup

License

35

@SPoint  !

sebas/[email protected]