jeff williams, ceo owasp nynj esapi... · 2012. 3. 30. · esapi specification (in progress) esapi...
TRANSCRIPT
Jeff Williams, CEO
OWASP NYNJ
11/17/2011
ESAPI is a philosophy
Not a library
“Secure the Application Portfolio”
“We Need Coverage!”
Portfolio Coverage
Vu
ln C
ov
era
ge
I love finding vulns
• business layer access control issues
• internal identity management issues
• lack of a structured security error handling approach
• improper caching and pooling
• failure to log critical events
• logging sensitive information
• fail open security mechanisms
• many unusual forms of injection
• improper temporary storage of sensitive information
• encryption algorithm choice and implementation problems
• improperly protected credentials, keys, and other secrets
• backdoors, timebombs, easter eggs, and other malicious code
• all concurrency issues (race condition, toctou, deadlock, etc...)
• failure to use SSL to connect to backend systems
• lack of proper authentication with backend systems
• lack of access control over connections to backend systems
• lack of proper validation and encoding of data sent to and received from backend systems
• lack of proper error handling surrounding backend connections
• lack of centralization in security mechanisms
• other insane design and implementation patterns for security mechanisms
• code quality issues that lead to security issues (duplication, dead code, modularity, complexity, style)
• improper separation of test and production code
• lots more...
•
What’s in the
list of things
that you can’t
really scan
for?
• Account lockout
• Posting unreviewed content
• Weakly hashed credentials
• Time of check, time of use
• Timing channel
• Weak password recovery
• Forced browsing
Tools don’t even
attempt to find
business logic
problems
Is anything you can’t scan for a
business logic flaw?
Business Logic Flaw Scan-able
Flaw
Need to
understand
business?
YES
NO
Not a
business
logic flaw
Business
logic flaw BLF
SCAN ?
Vulnerabilities and Controls
Missing and
broken
security
controls
Very
difficult to
find with
static tools
NSA Center for Assured Software
• Seven tools
• 13,801 Test Cases
• 527 flaw types
• Various data and control flows
• 85% of problems were not “discriminated” by ANY tools
14
http://www.appsecusa.org/p/nsacas.pdf
Results with False Alarms
15
5|0|8|http://tester:8888/testapp
/|9E4CB3D5635C548906BFB576DD18C7
10|com.test.app.client.GreetingS
ervice|greetServer|[Ljava.lang.S
tring;/2600011424|hi|there|blah|
1|2|3|4|1|5|5|3|6|7|8|%26ping%20
-n%2020%20127.0.0.1%26
Ajax
Web Services
Serialized Objects
Mobile
WebSocket
Penetration testing
is about to get a
LOT harder.
The fastest cheapest way to
get vulnerability coverage
Static
Analysis Manual Code
Analysis
Dynamic
Analysis
Manual
Testing
Threat
Modeling
Architecture
Review
Vulnerability
coverage is
hard.
Portfolio
Coverage
1000 apps
x
1 week
=
$10m
It takes a
village
week*
* For any verification of risks you actually care about
“Finding”
1x
“Fixing”
4x
Invisible Cost
10,000 vulns
x
( $1,000 to find
+
$4,000 to fix )
=
$50m
* Static guys say 10-40 “vulns” per kloc
2000 vulns * $5,000 = $10m / year
Changed Code
New Code
Security Verification Docket
* Budget
* Resources
* Planning
New and
Changed
Applications
Legacy
Applications
(Periodic)
vFlow =
Rate of fixed
vulnerabilities
Rate of new
vulnerabilities –
Manual Scan
Spend Pray
Reactive
Portfolio
Assurance
Strategies
Portfolio
coverage is
hard.
Rigor
Coverage
How sure are you that the
application isn’t at risk from
that vulnerability?
Scan
Manual
Architecture
Malicious
Match the level of rigor to
the threat and inherent risk
What’s your assurance case?
Malicious Review
Architecture Review
Manual Testing
Code Review
Dynamic Scan
Static Analysis
Blackbox Test
Independence?
Automatic?
Evidence?
Process?
How Long?
How?
Who?
https://www.owasp.org/index.php/ASVS
Rigor
coverage is
really hard.
“Reactive approaches
to appsec don’t scale”
– OR –
“You can’t hack
yourself secure”
A different
approach.
XSS Coding Pattern Instances Exploitability Total
Escape attribute false 72 10% 7
Repopulated form input 3123 43% 1343
Simple echoed input 852 86% 733
Untrusted data in JavaScript 5487 4% 219
Untrusted data in comment 251 15% 38
Untrusted session attribute 3852 4% 154
Untrusted eval 388 1% 4
Generated JavaScript 70 8% 6
Use of untrusted URL 10916 3% 327
Total Projected XSS 2831
ESAPI
Antipatterns
Controls
eLearning
Metrics
XSS
Only “Hard” XSS
Application Portfolio
Less Critical More Critical
Co
ve
rag
e /
Ass
ura
nc
e
Scan
Scan
Scan
De
ep
Re
vie
w
Standard
Controls Patterns
41
Strong simple
security controls for
every developer
Goal:
Secure the
Portfolio
Reactive
Scale up verification
ESAPI
Scale down problem
space
• Strong?
• Simple?
• Method?
• Service?
• Standardized?
• Centralized?
• Externalized?
• Automatic?
• Manageable?
• Auditable?
• Assurance?
ESAPI Scale
Easier Standards
Easier Architecture
Easier Development
Easier Training
Easier Verification
Easier Remediation
Before
2 1
3 4
ESAPI
Portfolio
Assurance
Strategy
A few
controls
Standard
controls
Ahead of the
curve
Technical
* Provides Controls
* Speeds Development
Cultural
* Security Engaged
* Breaks Addiction
Develop One
Standard Control
Verify Security
Pilot with Real
Projects
Refine Control
Build Out Guidance
Measure Success and
Expand
Understand Security
Architecture
80% design
20% implementation
ESAPI Specification (In Progress)
ESAPI Application Programming Interface (API)
Jav
a
.NE
T
PH
P
CF
AS
P
Py
tho
n
Aja
x
Ru
by
Fo
rce
.co
m
C /
C+
+
An
dro
id
52
==Extra Slides==
AppSec Training • Instructor-led and eLearning
Secure Development Support • Standards, architecture, controls, remediation
Verification Services • Code review, security testing, architecture review
AppSec Programs • Plan, team, process, metrics, communications
56
Access Control
Authenti-cation and
Identity
App Firewall
Access Reference
Map
Output Escaping
Input Validation
Logging Exception Handling
Secure Config
Intrusion Detection
HTTP Utilities
Encryption and Signing
Application Client
Browser Application Servers
Web Services
Databases
Mainframes Portals
Web Services
Web Servers
Client Tier Presentation Tier Component Tier Back-Office Tier
Enterprise Application Security Services
Security Infrastructure
Web Services
Legacy App
ESAPI Scorecard
Authentication
Identity
Access Control * *
Input Validation
Output Escaping
Canonicalization
Encryption
Random Numbers
Exceptions
Logging
IntrusionDetection
Security Config
App Firewall