Jeff Williams, CEO

OWASP NYNJ

11/17/2011

ESAPI is a philosophy

Not a library

“Secure the Application Portfolio”

“We Need Coverage!”

Portfolio Coverage

Vu

ln C

ov

era

ge

I love finding vulns

• business layer access control issues

• internal identity management issues

• lack of a structured security error handling approach

• improper caching and pooling

• failure to log critical events

• logging sensitive information

• fail open security mechanisms

• many unusual forms of injection

• improper temporary storage of sensitive information

• encryption algorithm choice and implementation problems

• improperly protected credentials, keys, and other secrets

• backdoors, timebombs, easter eggs, and other malicious code

• all concurrency issues (race condition, toctou, deadlock, etc...)

• failure to use SSL to connect to backend systems

• lack of proper authentication with backend systems

• lack of access control over connections to backend systems

• lack of proper validation and encoding of data sent to and received from backend systems

• lack of proper error handling surrounding backend connections

• lack of centralization in security mechanisms

• other insane design and implementation patterns for security mechanisms

• code quality issues that lead to security issues (duplication, dead code, modularity, complexity, style)

• improper separation of test and production code

• lots more...

•

What’s in the

list of things

that you can’t

really scan

for?

• Account lockout

• Posting unreviewed content

• Weakly hashed credentials

• Time of check, time of use

• Timing channel

• Weak password recovery

• Forced browsing

Tools don’t even

attempt to find

business logic

problems

Is anything you can’t scan for a

business logic flaw?

Business Logic Flaw Scan-able

Flaw

Need to

understand

business?

YES

NO

Not a

business

logic flaw

Business

logic flaw BLF

SCAN ?

Vulnerabilities and Controls

Missing and

broken

security

controls

Very

difficult to

find with

static tools

NSA Center for Assured Software

• Seven tools

• 13,801 Test Cases

• 527 flaw types

• Various data and control flows

• 85% of problems were not “discriminated” by ANY tools

14

http://www.appsecusa.org/p/nsacas.pdf

Results with False Alarms

15

5|0|8|http://tester:8888/testapp

/|9E4CB3D5635C548906BFB576DD18C7

10|com.test.app.client.GreetingS

ervice|greetServer|[Ljava.lang.S

tring;/2600011424|hi|there|blah|

1|2|3|4|1|5|5|3|6|7|8|%26ping%20

-n%2020%20127.0.0.1%26

Ajax

Web Services

Serialized Objects

Mobile

WebSocket

Penetration testing

is about to get a

LOT harder.

The fastest cheapest way to

get vulnerability coverage

Static

Analysis Manual Code

Analysis

Dynamic

Analysis

Manual

Testing

Threat

Modeling

Architecture

Review

Vulnerability

coverage is

hard.

Portfolio

Coverage

1000 apps

x

1 week

=

$10m

It takes a

village

week*

* For any verification of risks you actually care about

“Finding”

1x

“Fixing”

4x

Invisible Cost

10,000 vulns

x

( $1,000 to find

+

$4,000 to fix )

=

$50m

* Static guys say 10-40 “vulns” per kloc

2000 vulns * $5,000 = $10m / year

Changed Code

New Code

Security Verification Docket

* Budget

* Resources

* Planning

New and

Changed

Applications

Legacy

Applications

(Periodic)

vFlow =

Rate of fixed

vulnerabilities

Rate of new

vulnerabilities –

Manual Scan

Spend Pray

Reactive

Portfolio

Assurance

Strategies

Portfolio

coverage is

hard.

Rigor

Coverage

How sure are you that the

application isn’t at risk from

that vulnerability?

Scan

Manual

Architecture

Malicious

Match the level of rigor to

the threat and inherent risk

What’s your assurance case?

Malicious Review

Architecture Review

Manual Testing

Code Review

Dynamic Scan

Static Analysis

Blackbox Test

Independence?

Automatic?

Evidence?

Process?

How Long?

How?

Who?

https://www.owasp.org/index.php/ASVS

Rigor

coverage is

really hard.

“Reactive approaches

to appsec don’t scale”

– OR –

“You can’t hack

yourself secure”

A different

approach.

XSS Coding Pattern Instances Exploitability Total

Escape attribute false 72 10% 7

Repopulated form input 3123 43% 1343

Simple echoed input 852 86% 733

Untrusted data in JavaScript 5487 4% 219

Untrusted data in comment 251 15% 38

Untrusted session attribute 3852 4% 154

Untrusted eval 388 1% 4

Generated JavaScript 70 8% 6

Use of untrusted URL 10916 3% 327

Total Projected XSS 2831

ESAPI

Antipatterns

Controls

eLearning

Metrics

XSS

Only “Hard” XSS

Application Portfolio

Less Critical More Critical

Co

ve

rag

e /

Ass

ura

nc

e

Scan

Scan

Scan

De

ep

Re

vie

w

Standard

Controls Patterns

41

Strong simple

security controls for

every developer

Goal:

Secure the

Portfolio

Reactive

Scale up verification

ESAPI

Scale down problem

space

• Strong?

• Simple?

• Method?

• Service?

• Standardized?

• Centralized?

• Externalized?

• Automatic?

• Manageable?

• Auditable?

• Assurance?

ESAPI Scale

Easier Standards

Easier Architecture

Easier Development

Easier Training

Easier Verification

Easier Remediation

Before

2 1

3 4

ESAPI

Portfolio

Assurance

Strategy

A few

controls

Standard

controls

Ahead of the

curve

Technical

* Provides Controls

* Speeds Development

Cultural

* Security Engaged

* Breaks Addiction

Develop One

Standard Control

Verify Security

Pilot with Real

Projects

Refine Control

Build Out Guidance

Measure Success and

Expand

Understand Security

Architecture

80% design

20% implementation

ESAPI Specification (In Progress)

ESAPI Application Programming Interface (API)

Jav

a

.NE

T

PH

P

CF

AS

P

Py

tho

n

Aja

x

Ru

by

Fo

rce

.co

m

C /

C+

+

An

dro

id

52

==Extra Slides==

AppSec Training • Instructor-led and eLearning

Secure Development Support • Standards, architecture, controls, remediation

Verification Services • Code review, security testing, architecture review

AppSec Programs • Plan, team, process, metrics, communications

56

Access Control

Authenti-cation and

Identity

App Firewall

Access Reference

Map

Output Escaping

Input Validation

Logging Exception Handling

Secure Config

Intrusion Detection

HTTP Utilities

Encryption and Signing

Application Client

Browser Application Servers

Web Services

Databases

Mainframes Portals

Web Services

Web Servers

Client Tier Presentation Tier Component Tier Back-Office Tier

Enterprise Application Security Services

Security Infrastructure

Web Services

Legacy App

ESAPI Scorecard

Authentication

Identity

Access Control * *

Input Validation

Output Escaping

Canonicalization

Encryption

Random Numbers

Exceptions

Logging

IntrusionDetection

Security Config

App Firewall