don’t write your own security code – the enterprise ... · code – the enterprise security api...
TRANSCRIPT
![Page 1: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/1.jpg)
Copyright © 2009 - The OWASP Foundation This work is available under the Creative Commons SA 3.0 license
The OWASP Foundation
OWASP
http://www.owasp.org
Don’t Write Your Own Security Code – The Enterprise Security API Project
Jeff Williams Aspect Security CEO Volunteer Chair of OWASP [email protected]
modified by [email protected]
![Page 2: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/2.jpg)
OWASP 2
![Page 3: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/3.jpg)
OWASP 3
Java Logging
The Challenge…
3
Reform
ACEGI Struts
Stinger
Anti-XSS
BouncyCastle
Spring
Log4j Commons Validator
Jasypt
JCE
JAAS Cryptix
HDIV xml-dsig
xml-enc
Many More
![Page 4: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/4.jpg)
OWASP 4
Philosophy
Using security controls is different from building All the security guidelines, courses, tutorials, websites,
books, etc… are all mixed up because everyone builds their own controls
Most developers shouldn’t build security controls When to use a control How to use a control Why to use a control (maybe)
Most enterprises need the same set of calls
4
![Page 5: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/5.jpg)
OWASP 5
Design
Only include methods that… Are widely useful and focus on the most risky areas
Designed to be simple to understand and use Interfaces with concrete reference implementation Full documentation and usage examples
Same basic API across common platforms Java EE, .NET, PHP, others? Useful to Rich Internet Applications?
5
![Page 6: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/6.jpg)
OWASP 6
Architecture Overview
6
Custom Enterprise Web Application
Enterprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enc
oder
HT
TPU
tiliti
es
Enc
rypt
or
Enc
rypt
edPr
oper
ties
Ran
dom
izer
Exc
eptio
n H
andl
ing
Log
ger
Intr
usio
nDet
ecto
r
Secu
rity
Con
figur
atio
n
Existing Enterprise Security Services/Libraries
![Page 7: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/7.jpg)
OWASP 7
Create Your ESAPI Implementation
Your Security Services Wrap your existing libraries and services Extend and customize your ESAPI implementation Fill in gaps with the reference implementation
Your Coding Guideline Tailor the ESAPI coding guidelines Retrofit ESAPI patterns to existing code
7
![Page 8: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/8.jpg)
OWASP 8
Frameworks and ESAPI
ESAPI is NOT a framework Just a collection of security functions, not “lock in”
Frameworks already have some security Controls are frequently missing, incomplete, or wrong
ESAPI Framework Integration Project We’ll share best practices for integrating Hopefully, framework teams like Struts adopt ESAPI
8
![Page 9: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/9.jpg)
OWASP 9
Vulnerabilities and Security Controls
![Page 10: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/10.jpg)
OWASP 10
Web Escaping and Encoding
10
<
Percent Encoding %3c %3C
HTML Entity Encoding < < < < < < < < < < < < < < < < < < < < < < < < < < < < < <
< < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < &lT &Lt < < &lT; ≪ <
JavaScript Escape \< \x3c \X3c \u003c \U003c \x3C \X3C \u003C \U003C
CSS Escape \3c \03c \003c \0003c \00003c \3C \03C \003C \0003C \00003C
Overlong UTF-8 %c0%bc %e0%80%bc %f0%80%80%bc %f8%80%80%80%bc %fc%80%80%80%80%bc
US-ASCII ¼
UTF-7 +ADw-
Punycode <-
Simple Double Encoding < --> < --> lt; (double entity) < --> %3c --> %253c (double percent) etc...
Double Encoding with Multiple Schemes < --> < --> %26lt%3b (first entity, then percent) < --> %26 --> 26 (first percent, then entity) etc...
Simple Nested Escaping < --> %3c --> %%33%63 (nested encode percent both nibbles) < --> %3c --> %%33c (nested encode first nibble percent) < --> %3c --> %3%63 (nested encode second nibble percent) < --> < --> &&108;t; (nested encode l with entity) etc...
Nested Escaping with Multiple Schemes < --> < --> &%6ct; (nested encode l with percent) < --> %3c --> %3c (nested encode 3 with entity) etc...
1,677,721,600,000,000 ways to encode <script>
![Page 11: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/11.jpg)
OWASP 11
1. ESAPI Input Validation
Any Encoding Any Interpreter
Backend Controller Business Functions
User Data Layer
PresentationLayer
Decoding Engine
Codecs: HTML Entity Encoding
Percent Encoding JavaScript Encoding VBScript Encoding
CSS Encoding MySQL Encoding Oracle Encoding LDAP Encoding
…
Validation Engine
Validate: getValidDate()
getValidCreditCard() getValidSafeHTML()
getValidInput() getValidNumber()
getValidFileName() getValidRedirect()
safeReadLine() …
![Page 12: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/12.jpg)
OWASP 12
HTML Execution Contexts
CSS
JavaScript
HTML Attributes
HTML Elements
Event Handlers
URI Attributes
\any \xHH \uHHHH \000 (octal)
\specials \xHH \uHHHH
&#DD &#xHH &entity;
" ' &#DD &#xHH
" ' \specials \xHH \uHHHH
%HH
![Page 13: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/13.jpg)
OWASP 13
ESAPI Swingset
http://www.owasp.org/index.php?title=XSS_Prevention
![Page 14: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/14.jpg)
OWASP 14
2. ESAPI Output Encoding
Backend Controller Business Functions
User Data Layer
PresentationLayer
Encoding Engine
Encode: setCharacterEncoding()
encodeForHTML() encodeForHTMLAttribute()
encodeForJavaScript() encodeForVBScript()
encodeForCSS() encodeForURL() encodeForXML() encodeForLDAP()
encodeForDN() …
![Page 15: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/15.jpg)
OWASP 15
Applications Enjoy Attacks
YouTube
Live Search
Blogger
![Page 16: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/16.jpg)
OWASP 16
3. Errors, Logging, and Detection
Intrusion Detector
Enterprise Security Exceptions Logger
• Log Intrusion • Logout User • Disable Account
Configurable Thresholds Responses
Backend Controller Business Functions
User Data Layer
PresentationLayer
throw new ValidationException(“User message”, “Log message”);
![Page 17: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/17.jpg)
OWASP 17
ESAPI Book!
http://www.owasp.org/images/7/79/ESAPI_Book.pdf
![Page 18: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/18.jpg)
OWASP 18
Closing Thoughts
I am learning an amazing amount (I thought I knew)
An ESAPI is a key part of a balanced breakfast Build rqmts, guidelines, training, tools around your ESAPI
Secondary benefits May help static analysis do better Enables security upgrades across applications Simplifies developer training
Next year – experiences moving to ESAPI 18
![Page 19: Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()](https://reader031.vdocuments.site/reader031/viewer/2022022515/5afc0a2c7f8b9a444f8b8e91/html5/thumbnails/19.jpg)
OWASP 19
Questions and Answers
Rollout strategy?
Integrating existing security libraries?
Technical questions?
Contact Information: Jeff Williams [email protected] Work: 410-707-1487 Main: 301-604-4882