owasp enterprise security api (esapi) for c plus plus · owasp enterprise security api (esapi) for...
TRANSCRIPT
![Page 1: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/1.jpg)
OWASP Enterprise Security API (ESAPI) for C Plus Plus
Dan Amodio ESAPI for C Project Leader [email protected] [email protected]
April 5th, 2012
![Page 2: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/2.jpg)
2
Who am I?
OWASP
ESAPI – C Project leader
ESAPI – C++ Contributor
Work
Application Security Engineer – Aspect Security
Experience
Code Reviews
Architecture Reviews
Penetration Testing
Software Development
Have Wife, Daughter, Hobbies, etc.
![Page 3: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/3.jpg)
You?
Developers
Managers
Security Professionals
3
![Page 4: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/4.jpg)
This Presentation
ESAPI Project Overview
ESAPI for C Plus Plus (yes… really.)
Integrating Security Controls (DEMO)
ESAPI Future (3.0)
4
![Page 5: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/5.jpg)
WHAT IS ESAPI?
5
![Page 6: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/6.jpg)
Free and Open Source (OWASP)
6
![Page 7: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/7.jpg)
Free and Open Source (OWASP)
7
![Page 8: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/8.jpg)
Enhanced Small Arms Protective Insert
8
![Page 9: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/9.jpg)
Armor for your apps
9
![Page 10: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/10.jpg)
10
Custom Enterprise Web Application
OWASP Enterprise Security API
Au
the
nti
ca
tor
Use
r
Acce
ssC
on
tro
lle
r
Acce
ssR
efe
ren
ce
Ma
p
Va
lid
ato
r
En
co
de
r
HT
TP
Uti
liti
es
En
cry
pto
r
En
cry
pte
dP
rop
ert
ies
Ra
nd
om
ize
r
Ex
ce
pti
on
Ha
nd
lin
g
Lo
gg
er
Intr
usio
nD
ete
cto
r
Se
cu
rity
Co
nfi
gu
rati
on
Your Existing Enterprise Services or Libraries
![Page 11: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/11.jpg)
ESAPI Pattern Across Languages
Security Control Interfaces
Reference Implementations
Customizable
11
![Page 12: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/12.jpg)
Why Centralized Controls are Important?
12
![Page 13: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/13.jpg)
Too many cooks in the kitchen!
13
![Page 14: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/14.jpg)
No Central Controls
14
![Page 15: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/15.jpg)
Develop Lower Risk Applications
15
Missing35%
Broken30%
Ignored20%
Misused15%
Vulnerabilities and Security Controls
![Page 16: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/16.jpg)
Potential ESAPI Cost Savings
16
![Page 17: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/17.jpg)
ESAPI Language Availability
Java EE
Dot NET
ASP
PHP
ColdFusion
Python
JavaScript
Objective C
Force.com
Ruby
C
C++
Perl
17
![Page 18: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/18.jpg)
Feature Set vs. Programming Language
18
Authentication 2.0 1.4 1.4 1.4 2.0 planned
Identity 2.0 1.4 1.4 1.4 2.0 planned
Access Control 2.0 1.4 1.4 1.4 1.4 2.0 planned
Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0 2.0
Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0 2.0
Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0 ???
Encryption 2.0 1.4 1.4 1.4 1.4 2.0
Random Numbers 2.0 1.4 1.4 1.4 1.4 2.0
Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0 2.0
Logging 2.0 1.4 1,4 1.4 1.4 1.4 2.0 2.0
Intrusion Detection 2.0 1.4 1.4 1.4
Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0 TBD
WAF 2.0
![Page 19: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/19.jpg)
WHY ESAPI FOR C++?
19
![Page 20: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/20.jpg)
Reasoning
Sponsored by Government
Currently ESAPI for C
C++ is still popular and used in critical applications
20
![Page 21: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/21.jpg)
Almost 40k C++ Projects on Sourceforge
21 http://sourceforge.net/directory/
![Page 22: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/22.jpg)
Over 6k C++ Jobs on Dice
22
![Page 23: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/23.jpg)
Retro-fit Existing Applications
Critical Utilities / Systems
Telecom
Defense
Banking / Trading
Enterprise Apps
Point of Sale
Employee Interfaces
Airline applications
Terminal Systems
???
23
![Page 24: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/24.jpg)
New Applications
MMO Games
Critical Utilities / Systems
Embedded Applications
Server Applications
???
24
![Page 25: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/25.jpg)
ESAPI C++ Controls
Authentication
User
Access Control
Validation
Encoding
Execution
Encryption
Logging
25
![Page 26: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/26.jpg)
DEMO
Example ESAPI Integration
26
![Page 27: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/27.jpg)
Example Workflow
27
![Page 28: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/28.jpg)
ARCHITECTURE
Design Choices, Controls, Dependencies
28
![Page 29: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/29.jpg)
Design Approach
Based off Java design
Removed Web Specifics
Reached out to the community
29
![Page 30: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/30.jpg)
ESAPI C++ Controls
30
Custom Enterprise Application
OWASP Enterprise Security API for C++
Au
the
nti
ca
tor
Use
r
Acce
ssC
on
tro
lle
r
Acce
ssR
efe
ren
ce
Ma
p
Va
lid
ato
r
En
co
de
r
HT
TP
Uti
liti
es
En
cry
pto
r
En
cry
pte
dP
rop
ert
ies
Ra
nd
om
ize
r
Ex
ce
pti
on
Ha
nd
lin
g
Lo
gg
er
Intr
usio
nD
ete
cto
r
Se
cu
rity
Co
nfi
gu
rati
on
Your Existing Enterprise Services or Libraries
![Page 31: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/31.jpg)
ESAPI C++ Controls
Authentication
User
Access Control
Validation
Encoding
Execution
Encryption
Logging
31
![Page 32: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/32.jpg)
General Requirements
Cross-Platform
Light weight
Easy to setup and use
Thread / Memory safe
Not a memory management solution
32
![Page 33: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/33.jpg)
Cross-Platform Testing
Windows / Unix
Compilers
Visual Studio 2008 / 2010
GCC
Intel ICC
Unit testing
33
![Page 34: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/34.jpg)
Light weight
Few Dependencies
Boost
Crypto++
34
![Page 35: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/35.jpg)
Easy to setup and use
Documentation
Few dependencies
Require as little as possible from the developer
35
![Page 36: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/36.jpg)
Thread / Memory Safe
Locking
Minimal use of pointers
Code review
Assertions (nullptr/0/null?)
SafeInt class written by David LeBlanc
http://safeint.codeplex.com/
36
![Page 37: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/37.jpg)
Memory Management
Not a memory management solution
37
![Page 38: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/38.jpg)
Crypto
Consistent with Java Implementation
Requirement - Not broken
Jeff Walton
Kevin Wall (Fixed ESAPI Java crypto)
Wei Dai's Crypto++
http://www.cryptopp.com/
38
![Page 39: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/39.jpg)
Current Project State
Not production ready
Some unfinished components and issues
Unicode
Reference Implementations
Need contributors and testers
39
![Page 40: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/40.jpg)
How to get involved (C++)
http://www.google.com/search?q=esapi+c%2B%2B
Google Code http://code.google.com/p/owasp-esapi-cplusplus/
OWASP https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Mailing List https://lists.owasp.org/mailman/listinfo/owasp-esapi-c++
40
![Page 41: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/41.jpg)
How to get involved (C)
Google Code http://code.google.com/p/owasp-esapi-c/
OWASP https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Mailing List https://lists.owasp.org/mailman/listinfo/owasp-esapi-c
41
![Page 42: OWASP Enterprise Security API (ESAPI) for C Plus Plus · OWASP Enterprise Security API (ESAPI) for C Plus Plus Dan Amodio ESAPI for C Project Leader Dan.Amodio@owasp.org Dan.Amodio@aspectsecurity.com](https://reader031.vdocuments.us/reader031/viewer/2022012403/5afc09847f8b9a444f8b8d45/html5/thumbnails/42.jpg)
ESAPI Project Future
ESAPI Community
Pluggable Architecture
Just get what you need
Lots of Documentation!
Cheat Sheets / Guides
Videos
42