developing secure applications martin knobloch

Developing Secure Applications

Martin Knobloch Sogeti Nederland B.V. Design and Software Architecture

www.OWASP.org

Developing Secure Applications! PHP Business Seminar

• Security Requirements?

• Security Awareness!

• Application Security?

• Secure Development Process!

• Stay Secure?

• Summary, Questions And Discussion


Proactive Security Strategy: • To make application security a standard

subject of application development > By making all roles inside an application

development process aware about the possibilities and threats.

• Supplying education, standards, tooling, protocols and best practices to optimise Secure Development Process

• Technologies > Functional Design / Information Analysis > Design & Software Architecture > Java > Oracle

> CMS/Portals > PHP

> Cobol / Uniface > Test


Open Web Application Security Project:

• World Wide Open Source Community!

• Dedicated to finding and fighting the causes of insecure software.

• Tools > WebGoat Project > WebScarab Project > ...

• Documentation > Top Ten Project > Guide Project > AppSec FAQ Project > Testing Guide Project > PHP Project > ...






• Stay Secure!



User requirements

Business requirements

System requirements

F

u

n

c

t

i

o

n

a

l

Non

f

u

n

c

t

i

o

n

a

l

Business rules

Externe interfaces

Constraints

‘Why’

‘What’

‘How’ ‘Who?’






• Stay Secure?



The environments in where the software applications run where closed.

• By this, the applications could be developed ‘open’.


The environments became more open over time.




The environments became more open over time.

• Which means, the applications have to become more closed.




The Problems: • Cookies, HTTP authentication, SSL.. • Low learning curve • Easy to attack (web) applications


Consciously! • Cracker • Hacker • Scriptkiddie

Risk =( )*Value Threats * Vulnerabilities Countermeasures

Unconsciously! • User • System • Environment






• Stay Secure?



Applications are about information!

3 pillars of Information Security:

> Confidentiality

> Integrity

> Availability

Insecure Insecure

Functional

Specification

Technical

Implementation


An application is secure if it acts and reacts, as it expected, at any time!

Secure


OWASP TOP TEN: 1. Cross Site Scripting 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object References 5. Cross Site Request Forgery 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communication 10. Failure to Restrict URL Access


Source: www.mitre.org

de username is ‘Administrator'

en het wachtwoord is ‘TopSecret‘

USERNAME: Administrator PASSWORD: *****

de username is ‘Administrator'

en het wachtwoord is ‘crap‘ of 1=1;

USERNAME: Administrator PASSWORD: ***** of 1=1


Example:






• Stay Secure?


PROTOCOLS RULES

STANDARDS BEST PRACTICES

TOOLING


EVALUATION FEEDBACK

E X P E R I E N C E

E D U C A T I O N






• Stay Secure?



System Environment

Internet Web Applicatie

Back Office

Database

Firewall Firewall Firewall

DMZ

Private Network Private Network

System User? Systeem rechten?

Error handling? Error handling? Fout afhandeling?

Database Rechten?

User Rights? User Rights? Gebruikers rechten?






• Stay Secure?


Developing Secure Applications! PHP Business Seminar Functional Designers & Architects: > It is not only about what functionality the application has

to supply, it also what it may not!

Engineers: > Quality is not just ‘does it work’ .

Testers: > Security weaknesses are not different from other,

functional, bugs. They can be traced down the same way.

Managers: > Reserve project time for security > Understand security as manditory value of an application

Security Analyst: Involve a security Analyst at the beginning of the design

phase.

developing secure applications martin knobloch

Business

secure development process

security awareness

application security