owasp enterprise security api (esapi) for c plus plus · 2020-01-17 · owasp enterprise security...
TRANSCRIPT
![Page 1: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/1.jpg)
OWASP Enterprise Security API (ESAPI) for C Plus Plus
Dan Amodio ESAPI for C Project Leader [email protected] [email protected]
April 5th, 2012
![Page 2: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/2.jpg)
2
Who am I?
OWASP
ESAPI – C Project leader
ESAPI – C++ Contributor
Work
Application Security Engineer – Aspect Security
Experience
Code Reviews
Architecture Reviews
Penetration Testing
Software Development
Have Wife, Daughter, Hobbies, etc.
![Page 3: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/3.jpg)
You?
Developers
Managers
Security Professionals
3
![Page 4: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/4.jpg)
This Presentation
ESAPI Project Overview
ESAPI for C Plus Plus (yes… really.)
Integrating Security Controls (DEMO)
ESAPI Future (3.0)
4
![Page 5: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/5.jpg)
WHAT IS ESAPI?
5
![Page 6: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/6.jpg)
Free and Open Source (OWASP)
6
![Page 7: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/7.jpg)
Free and Open Source (OWASP)
7
![Page 8: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/8.jpg)
Enhanced Small Arms Protective Insert
8
![Page 9: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/9.jpg)
Armor for your apps
9
![Page 10: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/10.jpg)
10
Custom Enterprise Web Application
OWASP Enterprise Security API
Au
the
nti
ca
tor
Use
r
Acce
ssC
on
tro
lle
r
Acce
ssR
efe
ren
ce
Ma
p
Va
lid
ato
r
En
co
de
r
HT
TP
Uti
liti
es
En
cry
pto
r
En
cry
pte
dP
rop
ert
ies
Ra
nd
om
ize
r
Ex
ce
pti
on
Ha
nd
lin
g
Lo
gg
er
Intr
usio
nD
ete
cto
r
Se
cu
rity
Co
nfi
gu
rati
on
Your Existing Enterprise Services or Libraries
![Page 11: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/11.jpg)
ESAPI Pattern Across Languages
Security Control Interfaces
Reference Implementations
Customizable
11
![Page 12: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/12.jpg)
Why Centralized Controls are Important?
12
![Page 13: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/13.jpg)
Too many cooks in the kitchen!
13
![Page 14: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/14.jpg)
No Central Controls
14
![Page 15: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/15.jpg)
Develop Lower Risk Applications
15
Missing35%
Broken30%
Ignored20%
Misused15%
Vulnerabilities and Security Controls
![Page 16: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/16.jpg)
Potential ESAPI Cost Savings
16
![Page 17: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/17.jpg)
ESAPI Language Availability
Java EE
Dot NET
ASP
PHP
ColdFusion
Python
JavaScript
Objective C
Force.com
Ruby
C
C++
Perl
17
![Page 18: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/18.jpg)
Feature Set vs. Programming Language
18
Authentication 2.0 1.4 1.4 1.4 2.0 planned
Identity 2.0 1.4 1.4 1.4 2.0 planned
Access Control 2.0 1.4 1.4 1.4 1.4 2.0 planned
Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0 2.0
Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0 2.0
Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0 ???
Encryption 2.0 1.4 1.4 1.4 1.4 2.0
Random Numbers 2.0 1.4 1.4 1.4 1.4 2.0
Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0 2.0
Logging 2.0 1.4 1,4 1.4 1.4 1.4 2.0 2.0
Intrusion Detection 2.0 1.4 1.4 1.4
Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0 TBD
WAF 2.0
![Page 19: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/19.jpg)
WHY ESAPI FOR C++?
19
![Page 20: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/20.jpg)
Reasoning
Sponsored by Government
Currently ESAPI for C
C++ is still popular and used in critical applications
20
![Page 21: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/21.jpg)
Almost 40k C++ Projects on Sourceforge
21 http://sourceforge.net/directory/
![Page 22: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/22.jpg)
Over 6k C++ Jobs on Dice
22
![Page 23: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/23.jpg)
Retro-fit Existing Applications
Critical Utilities / Systems
Telecom
Defense
Banking / Trading
Enterprise Apps
Point of Sale
Employee Interfaces
Airline applications
Terminal Systems
???
23
![Page 24: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/24.jpg)
New Applications
MMO Games
Critical Utilities / Systems
Embedded Applications
Server Applications
???
24
![Page 25: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/25.jpg)
ESAPI C++ Controls
Authentication
User
Access Control
Validation
Encoding
Execution
Encryption
Logging
25
![Page 26: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/26.jpg)
DEMO
Example ESAPI Integration
26
![Page 27: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/27.jpg)
Example Workflow
27
![Page 28: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/28.jpg)
ARCHITECTURE
Design Choices, Controls, Dependencies
28
![Page 29: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/29.jpg)
Design Approach
Based off Java design
Removed Web Specifics
Reached out to the community
29
![Page 30: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/30.jpg)
ESAPI C++ Controls
30
Custom Enterprise Application
OWASP Enterprise Security API for C++
Au
the
nti
ca
tor
Use
r
Acce
ssC
on
tro
lle
r
Acce
ssR
efe
ren
ce
Ma
p
Va
lid
ato
r
En
co
de
r
HT
TP
Uti
liti
es
En
cry
pto
r
En
cry
pte
dP
rop
ert
ies
Ra
nd
om
ize
r
Ex
ce
pti
on
Ha
nd
lin
g
Lo
gg
er
Intr
usio
nD
ete
cto
r
Se
cu
rity
Co
nfi
gu
rati
on
Your Existing Enterprise Services or Libraries
![Page 31: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/31.jpg)
ESAPI C++ Controls
Authentication
User
Access Control
Validation
Encoding
Execution
Encryption
Logging
31
![Page 32: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/32.jpg)
General Requirements
Cross-Platform
Light weight
Easy to setup and use
Thread / Memory safe
Not a memory management solution
32
![Page 33: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/33.jpg)
Cross-Platform Testing
Windows / Unix
Compilers
Visual Studio 2008 / 2010
GCC
Intel ICC
Unit testing
33
![Page 34: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/34.jpg)
Light weight
Few Dependencies
Boost
Crypto++
34
![Page 35: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/35.jpg)
Easy to setup and use
Documentation
Few dependencies
Require as little as possible from the developer
35
![Page 36: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/36.jpg)
Thread / Memory Safe
Locking
Minimal use of pointers
Code review
Assertions (nullptr/0/null?)
SafeInt class written by David LeBlanc
http://safeint.codeplex.com/
36
![Page 37: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/37.jpg)
Memory Management
Not a memory management solution
37
![Page 38: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/38.jpg)
Crypto
Consistent with Java Implementation
Requirement - Not broken
Jeff Walton
Kevin Wall (Fixed ESAPI Java crypto)
Wei Dai's Crypto++
http://www.cryptopp.com/
38
![Page 39: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/39.jpg)
Current Project State
Not production ready
Some unfinished components and issues
Unicode
Reference Implementations
Need contributors and testers
39
![Page 40: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/40.jpg)
How to get involved (C++)
http://www.google.com/search?q=esapi+c%2B%2B
Google Code http://code.google.com/p/owasp-esapi-cplusplus/
OWASP https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Mailing List https://lists.owasp.org/mailman/listinfo/owasp-esapi-c++
40
![Page 41: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/41.jpg)
How to get involved (C)
Google Code http://code.google.com/p/owasp-esapi-c/
OWASP https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Mailing List https://lists.owasp.org/mailman/listinfo/owasp-esapi-c
41
![Page 42: OWASP Enterprise Security API (ESAPI) for C Plus Plus · 2020-01-17 · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org](https://reader034.vdocument.in/reader034/viewer/2022042612/5f4d2bef534a664dc15f69d2/html5/thumbnails/42.jpg)
ESAPI Project Future
ESAPI Community
Pluggable Architecture
Just get what you need
Lots of Documentation!
Cheat Sheets / Guides
Videos
42