setting up a secure development life cycle with owasp - seba deleersnyder

The OWASP Foundationhttp://www.owasp.org

Setting up a Secure Development Life Cycle with OWASP

Seba [email protected]

OWASP Foundation Board Member

BrightTALK Application Security summit

14-Nov-2012

1

Seba Deleersnyder?

Based in Belgium

5 years developer experience / 12 years information security experience

AppSec consultant, specialised in secure development lifecycle projects

Belgian OWASP chapter founder

OWASP board member

www.owasp.org

Co-organizer www.BruCON.org

2

OWASP World

OWASP is a worldwide free and open community focused on improving the security of application software.

Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks.

OWASP is a worldwide free and open community focused on improving the security of application software.

Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks.

Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.

Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.

3

The web application security challenge

Fire

wall

Hardened OS

Web Server

App Server

Fire

wall

Data

bases

Leg

acy

Syste

ms

Web

Serv

ices

Dir

ecto

ries

Hu

man

Resrc

s

Billin

g

Custom Developed Application Code

APPLICATIONATTACK

You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

Ne

two

rk L

aye

rA

pp

lica

tio

n L

aye

r

Your security “perimeter” has huge holes at the application layer

4

“Build in” software assurance

5

Design Build Test Production

vulnerabilityscanning -

WAF

security testingdynamic test

tools

coding guidelines code reviews

static test tools

security requirements /

threat modeling

reactiveproactive

Secure Development Lifecycle(SAMM)

D B T PSAMM

5

Software development lifecycle (SDLC)

Waterfall Agile

6

We need a Maturity ModelAn organization’s

behavior changes slowly

over time

Changes must be iterative while

working toward long-term goals

There is no single recipe that

works for all organizations

A solution must enable risk-

based choices tailored to the organization

Guidance related to security

activities must be prescriptive

A solution must provide enough details for non-security-people

Overall, must be simple, well-defined, and measurable

OWASP Software

Assurance Maturity Model

(SAMM)

D B T PSAMM

https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model

7

SAMM Security Practices• From each of the Business Functions, 3 Security Practices are

defined

• The Security Practices cover all areas relevant to software security assurance

• Each one is a ‘silo’ for improvement

D B T PSAMM

8

Three successive Objectives under each Practice

D B T PSAMM

9

Education & Guidance

Resources:

• OWASP Top 10

• OWASP Education

• WebGoat

Give a man a fish and you feed him for a day;Teach a man to fish and you feed him for a lifetime.

Chinese proverb

D B T PSAMM

A1: Injection A2: Cross-Site Scripting (XSS)

A3: Broken Authentication

and Session Management

A4: Insecure Direct Object References

A5: Cross Site Request Forgery

(CSRF)

A6: Security Misconfiguration

A7: Failure to Restrict URL

Access

A8: Insecure Cryptographic

Storage

A9: Insufficient Transport Layer

Protection

A10: Unvalidated

Redirects and Forwards

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Projecthttps://www.owasp.org/index.php/Category:OWASP_Education_Projecthttps://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

10

Secure Coding Practices Quick Reference Guide

• Technology agnostic coding practices

• What to do, not how to do it

• Compact, but comprehensive checklist format

• Focuses on secure coding requirements, rather then on vulnerabilities and exploits

• Includes a cross referenced glossary to get developers and security folks talking the same language

D B T PSAMM

https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

11

Code Review

Resources:

• OWASP Code Review Guide

SDL Integration:• Multiple reviews defined as deliverables in your SDLC• Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases

D B T PSAMM

https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project

12

OWASP Cheat SheetsDeveloper Cheat Sheets (Builder)

Authentication Cheat SheetChoosing and Using Security Questions Cheat SheetCross-Site Request Forgery (CSRF) Prevention Cheat SheetCryptographic Storage Cheat SheetDOM based XSS Prevention Cheat SheetForgot Password Cheat SheetHTML5 Security Cheat SheetInput Validation Cheat SheetJAAS Cheat SheetLogging Cheat SheetOWASP Top Ten Cheat SheetQuery Parameterization Cheat SheetSession Management Cheat SheetSQL Injection Prevention Cheat SheetTransport Layer Protection Cheat SheetWeb Service Security Cheat SheetXSS (Cross Site Scripting) Prevention Cheat SheetUser Privacy Protection Cheat Sheet

Assessment Cheat Sheets (Breaker)

Attack Surface Analysis Cheat SheetXSS Filter Evasion Cheat Sheet

Mobile Cheat SheetsIOS Developer Cheat SheetMobile Jailbreaking Cheat Sheet

Draft Cheat SheetsAccess Control Cheat SheetApplication Security Architecture Cheat SheetClickjacking Cheat SheetPassword Storage Cheat SheetPHP Security Cheat SheetREST Security Cheat SheetSecure Coding Cheat SheetSecure SDLC Cheat SheetThreat Modeling Cheat SheetVirtual Patching Cheat SheetWeb Application Security Testing Cheat Sheet

D B T PSAMM

https://www.owasp.org/index.php/Cheat_Sheets

13

Code review toolingCode review tools:

• OWASP LAPSE (Security scanner for Java EE Applications)

• MS FxCop / CAT.NET (Code Analysis Tool for .NET)

• Agnitio (open source Manual source code review support tool)

D B T PSAMM

https://www.owasp.org/index.php/OWASP_LAPSE_Projecthttp://www.microsoft.com/security/sdl/discover/implementation.aspxhttp://agnitiotool.sourceforge.net/

14

Security Testing

Resources:

• OWASP ASVS

• OWASP Testing Guide

SDL Integration:• Integrate dynamic security testing as part

of you test cycles• Derive test cases from the security

requirements that apply• Check business logic soundness as well as

common vulnerabilities• Review results with stakeholders prior to

release

D B T PSAMM

https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Projecthttps://www.owasp.org/index.php/OWASP_Testing_Project

15

Security TestingZed Attack Proxy (ZAP) is an easy to use integrated

penetration testing tool for finding vulnerabilities in web applications

Provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually

Features:• Intercepting proxy• Automated scanner• Passive scanner• Brute force scanner• Spider• Fuzzer• Port scanner• Dynamic SSL Certificates• API• Beanshell integration

D B T PSAMM

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

16

Web Application Firewalls

NetworkFirewall

Web Application

Firewall

WebServer

Web client(browser)

Malicious web trafficLegitimate web traffic

Port 80

ModSecurity: Worlds No 1 open source Web Application Firewallwww.modsecurity.org• HTTP Traffic Logging• Real-Time Monitoring and Attack Detection• Attack Prevention and Just-in-time Patching• Flexible Rule Engine• Embedded Deployment (Apache, IIS7 and Nginx)• Network-Based Deployment (reverse proxy)

OWASP ModSecurity Core Rule Set Project, generic, plug-n-play set of WAF rules

D B T PSAMM

17

https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

The OWASP Enterprise Security API

Custom Enterprise Web Application

Enterprise Security API

Au

then

tica

tor

Use

r

Acc

essC

on

tro

ller

Acc

essR

efer

ence

Map

Val

idat

or

En

cod

er

HT

TP

Uti

litie

s

En

cryp

tor

En

cryp

ted

Pro

per

ties

Ran

do

miz

er

Exc

epti

on

Han

dlin

g

Lo

gg

er

Intr

usi

on

Det

ecto

r

Sec

uri

tyC

on

fig

ura

tio

n

Existing Enterprise Security Services/Libraries

D B T PSAMM

https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

18

Validation, Encoding, and Injection

Controller

UserInterface

Business

Functions

Web Service

Database

Mainframe

File System

User Data Layer

Etc…

Set Character Set

Encode For HTML

Any Encoding

Global Validate Any Interpreter

CanonicalizeSpecific Validate

Sanitize

Canonicalize

Validate

Example and working code snippets to perform input validation and output encoding

D B T PSAMM

19

150+ OWASP ProjectsPROTECT

Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project

Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide

DETECT

Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy

Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project

LIFE CYCLE

SAMM, WebGoat, Legal Project

20

Get started

Step 1: questionnaire

as-is

Step 2: define your maturity

goal

Step 3: define phased

roadmap

D B T PSAMM

21

Get involved

• Use and donate back!

• Attend OWASP chapter meetings and conferences

• Support OWASP becomepersonal/company memberhttps://www.owasp.org/index.php/Membership

22

Q&A

23

Contact

• @sebadele

• [email protected]

• [email protected]

• www.linkedin.com/in/sebadele

24