establishing your organization's enterprise security api
TRANSCRIPT
8/14/2019 Establishing Your Organization's Enterprise Security API
http://slidepdf.com/reader/full/establishing-your-organizations-enterprise-security-api 1/16
)
Copyright © 2006 - Aspect SecurityCopyright © 2006 –Aspect Security – www.aspectsecurity.com
Establishing Your Organization'sEnterprise Security API
Jeff Williams
Aspect Security CEO
OWASP Chair
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
The Challenge…
Your organization has hundreds of applications
Every one of them needs:
) Authentication, access control, input validation, encoding,encryption, logging, error handling, etc…
You can use these building blocks:
) Log4j, Reform, ACEGI, Struts, Stinger, Spring, Validator,Jasypt, JCE, JAAS, Cryptix, BouncyCastle, Anti-XSS, xml-dsig, xml-enc, lots lots more….
2
8/14/2019 Establishing Your Organization's Enterprise Security API
http://slidepdf.com/reader/full/establishing-your-organizations-enterprise-security-api 2/16
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Approach
Using security controls is different from building
) All the security guidelines, courses, tutorials, websites,books, etc… are all mixed up because everyone builds theirown controls
Most developers shouldn’t build security controls
) When to use a control
) How to use a control
) Why to use a control (maybe)
Most enterprises need the same set of calls
3
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Design
Only include methods that…
) Are useful in a large percentage of applications
) Focus on the most risky areas
Designed to be simple to understand and use
) Interfaces with concrete reference implementation
) Full documentation and usage examples
Same basic API across common platforms
) Java EE, .NET, PHP, others?
4
8/14/2019 Establishing Your Organization's Enterprise Security API
http://slidepdf.com/reader/full/establishing-your-organizations-enterprise-security-api 3/16
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Architecture Overview
5
Custom Enterprise Web Application
Enterprise Security API
A u t h e n t i c a t o r
U s e r
A c c e s s C o n t r o l l e r
A c c e s s R e f e r e n c e M a p
V a l i d a t o r
E n c o d e r
H T T P U t i l i t i e s
E n c r y p t o r
E n c r y p t e d P r o p e r t i e s
R a n d o m i z e r
E x c e p t i o n H a n d l i n g
L o g g e r
I n t r u s i o n D e t e c t o r
S e c u r i t y C o n f i g u r a t i o n
Existing Enterprise Libraries and Services
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Benefits of Integration
One library for each function doesn’t work!
6
ESAPI Feature Benefits
Unified error handling Comprehensive security loggingand intrusion detection
Strong cryptography Creating passwords, tokens,random filenames, keys, etc..
Identity everywhere Simplifies API, enables accesscontrol, logging, and intrusion
detectionCentralized configuration One place to set all security
relevant parameters securely
Simple consistent API Developers actually do thesecurity checks consistently
8/14/2019 Establishing Your Organization's Enterprise Security API
http://slidepdf.com/reader/full/establishing-your-organizations-enterprise-security-api 4/16
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Customizing
Your ESAPI Implementation
) Wrap your existing libraries and services
) Extend and customize your ESAPI implementation
) Fill in gaps with the reference implementation
Your Coding Guideline
) Tailor the ESAPI coding guidelines
) Retrofit ESAPI patterns to existing code
7
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Frameworks and ESAPI
ESAPI is NOT a framework
) Just a collection of security functions, not “lock in”
Frameworks already have some security
) Controls are frequently missing, incomplete, or wrong
ESAPI Framework Integration Project
) We’ll share best practices for integrating) Hopefully, framework teams like Struts adopt ESAPI
8
8/14/2019 Establishing Your Organization's Enterprise Security API
http://slidepdf.com/reader/full/establishing-your-organizations-enterprise-security-api 5/16
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Project Plan and Status
6/06 – Sketch Informal API
4/07 - Formalize Strawman API
5/07 – Start Java EE Reference Implementation
7/07 - Form Expert Panel
11/07 - Release RC1
2002 – Start Collecting
9/07 – Sneak Peek
9
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Quality
10
8/14/2019 Establishing Your Organization's Enterprise Security API
http://slidepdf.com/reader/full/establishing-your-organizations-enterprise-security-api 6/16
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Backend
Handling Authentication and Identity
Controller BusinessFunctions
User Data Layer
ESAPI
A c c
e s s
C o n
t r o l
L o g
g i n g
I n t r u
s i o n
D e t e
c t i o n
A u t h e n
t i c a t i o n
Users
11
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Authenticator
Key Methods
) createUser(accountName, pass1, pass2)
) generateStrongPassword()
) getCurrentUser()
) login(request, response)
) verifyAccountNameStrength(acctName)
) verifyPasswordStrength(newPass, oldPass)
Use threadlocal variable to store current User
Automatically change session on login and logout
Main program to set initial accounts
12
8/14/2019 Establishing Your Organization's Enterprise Security API
http://slidepdf.com/reader/full/establishing-your-organizations-enterprise-security-api 7/16
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
User
Key Methods
) changePassword(old, new1, new2)
) disable() enable()
) getAccountName() getScreenName()
) getCSRFToken()
) getLastFailedLoginTime() getLastLoginTime()
) getRoles() isInRole(role)
) isEnabled() isExpired() isLocked()
) loginWithPassword(password, request, response)
) logout(request, response)
) resetCSRFToken() resetPassword()
) verifyCSRFToken(token)13
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Enforcing Access Control
Controller
UserInterface
BusinessFunctions
Web Service
Database
Mainframe
File System
User DataLayer
Etc…
URLCheck
DataCheck
FunctionCheck
ServiceCheck
File
Check
FunctionCheck
14
8/14/2019 Establishing Your Organization's Enterprise Security API
http://slidepdf.com/reader/full/establishing-your-organizations-enterprise-security-api 8/16
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
AccessController
Key Methods
) isAuthorizedForData(key)
) isAuthorizedForFile(filepath)
) isAuthorizedForFunction(functionName)
) isAuthorizedForService(serviceName)
) isAuthorizedForURL(url)
Reference Implementation (not required)
) /admin/* | admin | allow | admin access to /admin
) /* | any | deny | default deny rule
15
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Handling Direct Object References
Web Service
Database
Mainframe
File System
User Access
ReferenceMap
Etc…
IndirectReference
DirectReference
IndirectReference
DirectReference
http://app?file=7d3J93
Report123.xls
16
8/14/2019 Establishing Your Organization's Enterprise Security API
http://slidepdf.com/reader/full/establishing-your-organizations-enterprise-security-api 9/16
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
AccessReferenceMap
Key Methods
) getDirectReference(indirectReference)
) getIndirectReference(directReference)
) iterator()
) update(directReferences)
Example
) http://www.ibank.com?file=report123.xls
) http://www.ibank.com?file=a3nr38
17
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Validating and Encoding Untrusted Input
Web Service
Directory
Database
File System
User Business Processing
Etc…
EncodeForHTML
Validate
Validate
EncodeForLDAP
18
8/14/2019 Establishing Your Organization's Enterprise Security API
http://slidepdf.com/reader/full/establishing-your-organizations-enterprise-security-api 10/16
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Validator
Key Methods
) canonicalize(input)
) isValidFileUpload(filepath, filename, content)
) isValidHTTPRequest (request)
) isValidCreditCard(input)
) isValid***** (input)
) isValidRedirectLocation(location)
) isValidSafeHTML(input)
) safeReadLine(inputStream, maxchars)
Canonicalization is really important
Global validation of HTTP requests
19
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Encoder
Key Methods
) encodeForBase64(input)
) encodeForDN(input)
) encodeForHTML(input)
) encodeForHTMLAttribute(input)
) …, encodeForJavascript , encodeForLDAP , encodeForSQL ,encodeForURL , encodeForVBScript , encodeForXML ,encodeForXMLAttribute , encodeForXPath
Function names help tell developer when to use
Some of these are quite hard
20
8/14/2019 Establishing Your Organization's Enterprise Security API
http://slidepdf.com/reader/full/establishing-your-organizations-enterprise-security-api 11/16
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Enhancing HTTP
UserBusiness
ProcessingHTTP
Utilities
Logging
Add CSRF Token
Secure Cookies
Secure Redirect
No Cache Headers
Verify CSRF Token
Safe Request Logging
Safe File Upload
Add Safe Header
21
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
HTTPUtilities
Key Methods
) addCSRFToken(href)
) addSafeHeader(header, value, response)
) changeSessionIdentifier(request)
) getFileUploads(request, tempDir, finalDir)
) killCookie(name, request, response)
) sendRedirect(href)
) setCookie(name, value, age, domain, path, response)
) setNoCacheHeaders(response)
Safer ways of dealing with HTTP, secure cookies
22
8/14/2019 Establishing Your Organization's Enterprise Security API
http://slidepdf.com/reader/full/establishing-your-organizations-enterprise-security-api 12/16
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Encryptor
Key Methods
) decrypt(ciphertext)
) encrypt(plaintext)
) hash(plaintext, salt)
) loadCertificateFromFile(file)
) getTimeStamp()
) seal(data, expiration) verifySeal(seal, data)
) sign(data) verifySignature(signature, data)
Simple master key in configuration
Minimal certificate support
23
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
EncryptedProperties
Key Methods
) getProperty(key)
) setProperty(key, value)
) keySet()
) load(inputStream)
) store(outputStream, comments)
Simple protected storage for configuration dataMain program to preload encrypted data!
24
8/14/2019 Establishing Your Organization's Enterprise Security API
http://slidepdf.com/reader/full/establishing-your-organizations-enterprise-security-api 13/16
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Randomizer
Key Methods
) getRandomInteger(min, max)
) getRandomReal(min, max)
) getRandomString(length, characterSet)
Several pre-defined character sets
) Lowers, uppers, digits, specials, letters, alphanumerics,password, etc…
25
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Exception Handling
EnterpriseSecurityException
) AccessControlException
) AuthenticationException
) AvailabilityException
) CertificateException
) EncodingException
) EncryptionException
) ExecutorException
) IntrusionException
) ValidationException
Allows a sensible security exception framework
26
8/14/2019 Establishing Your Organization's Enterprise Security API
http://slidepdf.com/reader/full/establishing-your-organizations-enterprise-security-api 14/16
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Logger
Key Methods
) getLogger(applicationName,moduleName)
) formatHttpRequestForLog(request, sensitiveList)
) logCritical(type, message, throwable)
) logDebug(type, message, throwable)
) logError(type, message, throwable)
) logSuccess(type, message, throwable)
) logTrace(type, message, throwable)
) logWarning(type, message, throwable)
All EASPI exceptions are automatically logged
27
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Detecting Intrusions
User Business Processing Backend
ESAPI
IntrusionDetector
Tailorable
Quotas
Events and ExceptionsLog, Logout, and Disable
28
8/14/2019 Establishing Your Organization's Enterprise Security API
http://slidepdf.com/reader/full/establishing-your-organizations-enterprise-security-api 15/16
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
IntrusionDetector
Key Methods
) addException(exception)
) addEvent(event)
Model
) EnterpriseSecurityExceptions automatically added
) Specify a threshold for each event typeorg.owasp.esapi.ValidationException.count=3org.owasp.esapi.ValidationException.interval=3 (seconds)org.owasp.esapi.ValidationException.action=logout
(alternatives are log message, disable account)
29
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
SecurityConfiguration
Customizable…
) Crypto algorithms
) Encoding algorithms
) Character sets
) Global validation rules
) Logging preferences
) Intrusion detection thresholds and actions
) Etc…
30
8/14/2019 Establishing Your Organization's Enterprise Security API
http://slidepdf.com/reader/full/establishing-your-organizations-enterprise-security-api 16/16
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
OWASP Top Ten Coverage
OWASP Top Ten A1. Cross Site Scripting (XSS)
A2. Injection Flaws
A3. Malicious File Execution
A4. Insecure Direct Object Reference
A5. Cross Site Request Forgery (CSRF)
A6. Leakage and Improper Error Handling
A7. Broken Authentication and Sessions
A8. Insecure Cryptographic Storage
A9. Insecure Communications
A10. Failure to Restrict URL Access
OWASP ESAPI Validator, Encoder
Encoder
HTTPUtilities (upload)
AccessReferenceMap
User (csrftoken)
EnterpriseSecurityException, HTTPUtils
Authenticator, User, HTTPUtils
Encryptor
HTTPUtilities (secure cookie)
AccessController
31
)
Copyright © 2006 –Aspect Security – www.aspectsecurity.com
Closing Thoughts
I have learned an amazing amount (I thought I knew)
An ESAPI is a key part of a balanced breakfast
) Build coding guidelines, training, tools around your ESAPI
Secondary benefits
) May help static analysis do better
) Enables security upgrades across applications) Simplifies developer training
Next year – experiences moving to ESAPI
32