Upload
sebastien-deleersnyder
View
2.726
Download
2
Embed Size (px)
DESCRIPTION
Using the OWASP Software Assurance Maturity Model (OpenSAMM) as a framework, this talk covers the major application security controls of a secure development lifecycle program as provided by OWASP. Featured OWASP open source material include: OWASP guidelines and tools such as ESAPI, ZAProxy, as well as educational resources.
Citation preview
The OWASP Foundationhttp://www.owasp.org
Setting up a Secure Development Life Cycle with OWASP
Seba [email protected]
OWASP Foundation Board Member
BrightTALK Application Security summit
14-Nov-2012
1
Seba Deleersnyder?
Based in Belgium
5 years developer experience / 12 years information security experience
AppSec consultant, specialised in secure development lifecycle projects
Belgian OWASP chapter founder
OWASP board member
www.owasp.org
Co-organizer www.BruCON.org
2
OWASP World
OWASP is a worldwide free and open community focused on improving the security of application software.
Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks.
OWASP is a worldwide free and open community focused on improving the security of application software.
Our mission is to make application security visible so that people and organizations can make informed decisions about application security risks.
Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.
Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.
3
The web application security challenge
Fire
wall
Hardened OS
Web Server
App Server
Fire
wall
Data
bases
Leg
acy
Syste
ms
Web
Serv
ices
Dir
ecto
ries
Hu
man
Resrc
s
Billin
g
Custom Developed Application Code
APPLICATIONATTACK
You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks
Ne
two
rk L
aye
rA
pp
lica
tio
n L
aye
r
Your security “perimeter” has huge holes at the application layer
4
“Build in” software assurance
5
Design Build Test Production
vulnerabilityscanning -
WAF
security testingdynamic test
tools
coding guidelines code reviews
static test tools
security requirements /
threat modeling
reactiveproactive
Secure Development Lifecycle(SAMM)
D B T PSAMM
5
Software development lifecycle (SDLC)
Waterfall Agile
6
We need a Maturity ModelAn organization’s
behavior changes slowly
over time
Changes must be iterative while
working toward long-term goals
There is no single recipe that
works for all organizations
A solution must enable risk-
based choices tailored to the organization
Guidance related to security
activities must be prescriptive
A solution must provide enough details for non-security-people
Overall, must be simple, well-defined, and measurable
OWASP Software
Assurance Maturity Model
(SAMM)
D B T PSAMM
https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
7
SAMM Security Practices• From each of the Business Functions, 3 Security Practices are
defined
• The Security Practices cover all areas relevant to software security assurance
• Each one is a ‘silo’ for improvement
D B T PSAMM
8
Three successive Objectives under each Practice
D B T PSAMM
9
Education & Guidance
Resources:
• OWASP Top 10
• OWASP Education
• WebGoat
Give a man a fish and you feed him for a day;Teach a man to fish and you feed him for a lifetime.
Chinese proverb
D B T PSAMM
A1: Injection A2: Cross-Site Scripting (XSS)
A3: Broken Authentication
and Session Management
A4: Insecure Direct Object References
A5: Cross Site Request Forgery
(CSRF)
A6: Security Misconfiguration
A7: Failure to Restrict URL
Access
A8: Insecure Cryptographic
Storage
A9: Insufficient Transport Layer
Protection
A10: Unvalidated
Redirects and Forwards
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Projecthttps://www.owasp.org/index.php/Category:OWASP_Education_Projecthttps://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
10
Secure Coding Practices Quick Reference Guide
• Technology agnostic coding practices
• What to do, not how to do it
• Compact, but comprehensive checklist format
• Focuses on secure coding requirements, rather then on vulnerabilities and exploits
• Includes a cross referenced glossary to get developers and security folks talking the same language
D B T PSAMM
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
11
Code Review
Resources:
• OWASP Code Review Guide
SDL Integration:• Multiple reviews defined as deliverables in your SDLC• Structured, repeatable process with management support • Reviews are exit criteria for the development and test phases
D B T PSAMM
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
12
OWASP Cheat SheetsDeveloper Cheat Sheets (Builder)
Authentication Cheat SheetChoosing and Using Security Questions Cheat SheetCross-Site Request Forgery (CSRF) Prevention Cheat SheetCryptographic Storage Cheat SheetDOM based XSS Prevention Cheat SheetForgot Password Cheat SheetHTML5 Security Cheat SheetInput Validation Cheat SheetJAAS Cheat SheetLogging Cheat SheetOWASP Top Ten Cheat SheetQuery Parameterization Cheat SheetSession Management Cheat SheetSQL Injection Prevention Cheat SheetTransport Layer Protection Cheat SheetWeb Service Security Cheat SheetXSS (Cross Site Scripting) Prevention Cheat SheetUser Privacy Protection Cheat Sheet
Assessment Cheat Sheets (Breaker)
Attack Surface Analysis Cheat SheetXSS Filter Evasion Cheat Sheet
Mobile Cheat SheetsIOS Developer Cheat SheetMobile Jailbreaking Cheat Sheet
Draft Cheat SheetsAccess Control Cheat SheetApplication Security Architecture Cheat SheetClickjacking Cheat SheetPassword Storage Cheat SheetPHP Security Cheat SheetREST Security Cheat SheetSecure Coding Cheat SheetSecure SDLC Cheat SheetThreat Modeling Cheat SheetVirtual Patching Cheat SheetWeb Application Security Testing Cheat Sheet
D B T PSAMM
https://www.owasp.org/index.php/Cheat_Sheets
13
Code review toolingCode review tools:
• OWASP LAPSE (Security scanner for Java EE Applications)
• MS FxCop / CAT.NET (Code Analysis Tool for .NET)
• Agnitio (open source Manual source code review support tool)
D B T PSAMM
https://www.owasp.org/index.php/OWASP_LAPSE_Projecthttp://www.microsoft.com/security/sdl/discover/implementation.aspxhttp://agnitiotool.sourceforge.net/
14
Security Testing
Resources:
• OWASP ASVS
• OWASP Testing Guide
SDL Integration:• Integrate dynamic security testing as part
of you test cycles• Derive test cases from the security
requirements that apply• Check business logic soundness as well as
common vulnerabilities• Review results with stakeholders prior to
release
D B T PSAMM
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Projecthttps://www.owasp.org/index.php/OWASP_Testing_Project
15
Security TestingZed Attack Proxy (ZAP) is an easy to use integrated
penetration testing tool for finding vulnerabilities in web applications
Provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually
Features:• Intercepting proxy• Automated scanner• Passive scanner• Brute force scanner• Spider• Fuzzer• Port scanner• Dynamic SSL Certificates• API• Beanshell integration
D B T PSAMM
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
16
Web Application Firewalls
NetworkFirewall
Web Application
Firewall
WebServer
Web client(browser)
Malicious web trafficLegitimate web traffic
Port 80
ModSecurity: Worlds No 1 open source Web Application Firewallwww.modsecurity.org• HTTP Traffic Logging• Real-Time Monitoring and Attack Detection• Attack Prevention and Just-in-time Patching• Flexible Rule Engine• Embedded Deployment (Apache, IIS7 and Nginx)• Network-Based Deployment (reverse proxy)
OWASP ModSecurity Core Rule Set Project, generic, plug-n-play set of WAF rules
D B T PSAMM
17
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
The OWASP Enterprise Security API
Custom Enterprise Web Application
Enterprise Security API
Au
then
tica
tor
Use
r
Acc
essC
on
tro
ller
Acc
essR
efer
ence
Map
Val
idat
or
En
cod
er
HT
TP
Uti
litie
s
En
cryp
tor
En
cryp
ted
Pro
per
ties
Ran
do
miz
er
Exc
epti
on
Han
dlin
g
Lo
gg
er
Intr
usi
on
Det
ecto
r
Sec
uri
tyC
on
fig
ura
tio
n
Existing Enterprise Security Services/Libraries
D B T PSAMM
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
18
Validation, Encoding, and Injection
Controller
UserInterface
Business
Functions
Web Service
Database
Mainframe
File System
User Data Layer
Etc…
Set Character Set
Encode For HTML
Any Encoding
Global Validate Any Interpreter
CanonicalizeSpecific Validate
Sanitize
Canonicalize
Validate
Example and working code snippets to perform input validation and output encoding
D B T PSAMM
19
150+ OWASP ProjectsPROTECT
Tools: AntiSamy Java/:NET, Enterprise Security API (ESAPI), ModSecurity Core Rule Set Project
Docs: Development Guide, .NET, Ruby on Rails Security Guide, Secure Coding Practices - Quick Reference Guide
DETECT
Tools: JBroFuzz, Lice CD, WebScarab, Zed Attack Proxy
Docs: Application Security Verification Standard, Code Review Guide, Testing Guide, Top Ten Project
LIFE CYCLE
SAMM, WebGoat, Legal Project
20
Get started
Step 1: questionnaire
as-is
Step 2: define your maturity
goal
Step 3: define phased
roadmap
D B T PSAMM
21
Get involved
• Use and donate back!
• Attend OWASP chapter meetings and conferences
• Support OWASP becomepersonal/company memberhttps://www.owasp.org/index.php/Membership
22
Q&A
23