WebAppSec @ Ibuildings in 2014

0 %
100 %
Information about WebAppSec @ Ibuildings in 2014
Technology

Published on February 19, 2014

Author: relaxnow

Source: slideshare.net

Description

Internal workshop in 2014 on improving Web Application Security.
Talks about the OWASP Top 10, a Secure Software Development Lifecycle and OWASP ASVS

Web Application Security 2014 @ Ibuildings Boy Baukema 29th January 2014, Vlissingen Wednesday, February 5, 14

Fear Uncertainty and Doubt (FUD) Adobe / Apple / Drupal.org / Evernote / LinkedIn Facebook / NYT / PHP.net Java 0-days SSL BREACH High Profile customers targets: ‣ AbuseHub ‣ MijnDomein ‣ RTLNieuws Windows XP EOL in April ’14 Wednesday, February 5, 14 2

What to do? ‣ OWASP Top 10 2013 ‣ Status (Secure) Software Development Lifecycle ‣ OWASP ASVS 2013 ‣ OWASP ASVS Bingo! 3 Wednesday, February 5, 14

Security is a cross-cutting concern 'Thuisrouter directeur ook interessant voor hackers' 4 Wednesday, February 5, 14

OWASP Top 10 (2013) time! 5 Wednesday, February 5, 14

A1-Injection ‣ SQL Injection ‣ HTML Injection ‣ XML Injection • XML External Entities (XXE) ‣ JavaScript Injection ‣ CSS Injection 6 Wednesday, February 5, 14

A2-Broken Authentication and Session Management ‣ Session Fixation ‣ Missing Session Timeout ‣ Login over HTTP ‣ Unprotected Password Reset 7 Wednesday, February 5, 14

HTTP Strict Transport Security Strict-Transport-Security: ‣ max-age=60000; ‣ includeSubDomains 8 Wednesday, February 5, 14

A3-Cross-Site Scripting (XSS) ‣ Stored ‣ Reflected ‣ DOM based See Injection. 9 Wednesday, February 5, 14

Content-Security-Policy Content-Security-Policy(-Report-Only): ‣ default-src 'none'; ‣ script-src https://cdn.mybank.net; ‣ style-src https://cdn.mybank.net; ‣ img-src https://cdn.mybank.net; ‣ connect-src https://api.mybank.com; ‣ frame-src 'self' ‣ report-uri /my_amazing_csp_report_parser; IE10+, FF4+, Chrome 14+, (iOS)Safari 5.1+, Android 4.4+ http://caniuse.com/contentsecuritypolicy Wednesday, February 5, 14 10

A4-Insecure Direct Object References 11 Wednesday, February 5, 14

A5-Security Misconfiguration ‣ Out of date PHP version (PHP<5.3, <5.4 after July) ‣ admin/admin ‣ Stack traces ‣ php.ini • max_execution_time= 0 • session.cookie_httponly = Off • session.cookie_secure = Off • allow_url_fopen = On • See: PhpSecInfo 12 Wednesday, February 5, 14

A6-Sensitive Data Exposure ‣ Unsalted passwords ‣ Unencrypted Credit Cards ‣ Passwords / Session tokens over HTTP 13 Wednesday, February 5, 14

A7-Missing Function Level Access Control 14 Wednesday, February 5, 14

A8-Cross-Site Request Forgery (CSRF) 15 Wednesday, February 5, 14

A9-Using Components with Known Vulnerabilities 16 Wednesday, February 5, 14

A10-Unvalidated Redirects and Forwards 17 Wednesday, February 5, 14

BONUS: Clickjacking 18 Wednesday, February 5, 14

X-Frame-Options DENY The page cannot be displayed in a frame, regardless of the site attempting to do so. SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself. ALLOW-FROM uri The page can only be displayed in a frame on the specified origin. IE8+,Chrome 4+, FF 3.6+ Safari 4+ Wednesday, February 5, 14 19

SSDLC Secure Software Development LifeCycle 20 Wednesday, February 5, 14

Secure Software Development Life Cycle Source: http://pentestmag.com/security-and-the-software-development-life-cycle/ Wednesday, February 5, 14 21

Requirements / Functional Design Threat modeling Security Requirements 22 Wednesday, February 5, 14

Architecture & Design / Technical Design ‣ Web App Review 23 Wednesday, February 5, 14

Development / Implementation ‣ Secure Coding Practices ‣ Whitebox Testing 24 Wednesday, February 5, 14

Development: Secure Coding Guidelines ‣ Use only POST for credentials ‣ Notify users when a password reset occurs ‣ Re-authenticate users prior to performing critical operations ‣ Logout functionality should be available from all pages protected by authorization ‣ Generate a new session identifier on any reauthentication ‣ Logging controls should support both success and failure of specified security events Source: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf 25 Wednesday, February 5, 14

Development: (360) Code Reviews 26 Wednesday, February 5, 14

Testing ‣ Greybox testing 27 Wednesday, February 5, 14

Deployment ‣ Greybox security testing by third party 28 Wednesday, February 5, 14

Maintenance / SLA ‣ Black box quarterly ‣ Grey box annually ‣ Monitoring ‣ Security Patches 29 Wednesday, February 5, 14

Training ‣ Basic WebAppSec training ‣ Secure Coding training ‣ QA & Testing training 30 Wednesday, February 5, 14

OWASP ASVS 2013 31 Wednesday, February 5, 14

Security Checklist 32 Wednesday, February 5, 14

Leveling up Requirements: 164 136 47 33 Wednesday, February 5, 14

Scope 34 Wednesday, February 5, 14

Requirements V1. Authentication V8. Communication Security V2. Session Management V9. HTTP Security V3. Access Control V10. Malicious Controls V4. Input Validation V11. Business Logic V5. Cryptography (at Rest) V12. Files and Resources V6. Error Handling and Logging V13. Mobile V7. Data Protection 35 Wednesday, February 5, 14

An example 36 Wednesday, February 5, 14

Annotated ASVS 2013 37 Wednesday, February 5, 14

An AASVS Requirement has... ‣ Short Title ‣ Long Title ‣ Verification PASS ‣ Verification FAIL ‣ Verification Help ‣ [Verification Help for PHP] ‣ [Verification Help for Drupal] ‣ [Verification Help for Symfony 2] ‣ Related Resources 38 Wednesday, February 5, 14

Security Audit Template ‣ Introduction • Target Of Verification • Scope • Confidentiality ‣ Document History, TOC ‣ Conclusions ‣ V1 - V13 ‣ Appendix A: Source Code analysis ‣ Appendix B: Third Party libraries 39 Wednesday, February 5, 14

Risk Rating Source: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Wednesday, February 5, 14 40

OWASP ASVS 2013 and the SSDLC 41 Wednesday, February 5, 14

FAQ ‣ So we must be fully ASVS compliant? ‣ ...? 42 Wednesday, February 5, 14

ASVS BINGO! 43 Wednesday, February 5, 14

BINGO! 44 Wednesday, February 5, 14

Prizes 45 Wednesday, February 5, 14

Bootcamp 46 Wednesday, February 5, 14

Verify it 47 Wednesday, February 5, 14

Your Script for today 100 Fork the Template to your personal space. 220 Pop the ‘TODO’ stack of Requirements 221 If no Requirement, GOTO 350 230 Assign the Requirement (mark with your name). 231 Verify Requirement. 232 Report the results. 240 Push Requirement in the ‘DONE’ stack 241 GOTO 220 350 Review the DONE stack. Wednesday, February 5, 14 48

Add a comment

Related presentations

Related pages

A PHP Developers look back at OWASP AppSec.eu 2013 ...

Note: This post has unfortunately been in limbo for some time. Fortunately good WebAppSec content doesn't age that fast and also a 2014 edition of AppSec ...
Read more

Security, a part of QA

Security Specialist @ Ibuildings.nl. Security what? Senior Engineer + interest in WebAppSec + 4 hours a week R&D + internal training & consultancy
Read more

Netherlands April 24th, 2014 - OWASP

April 24th, 2014. Quality assurance and tools. Link to the registration! Venue Hogeschool van Amsterdam Duivendrechtsekade 36 Room E 1.46 1096 ...
Read more

ibuildings - security

To find out more about Ibuildings and security ... Fortunately good WebAppSec content doesn't age that fast and also a 2014 edition of AppSec.EU is ...
Read more

techPortal | PHP Intrusion Detection System (PHPIDS)

PHP Intrusion Detection System (PHPIDS) 03 Aug 2009 ... Just a reminder to everyone who is interested in WebAppSec and hasn’t done so ... 2014. October;
Read more

A PHP Developers look back at OWASP AppSec.eu 2013 - 推酷

Note: This post has unfortunately been in limbo for some time. Fortunately good WebAppSec content doesn't age that fast and also a 2014 edition of AppSec ...
Read more