jeff williams, ceo owasp nynj esapi... · 2012. 3. 30. · esapi specification (in progress) esapi...
TRANSCRIPT
![Page 1: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/1.jpg)
Jeff Williams, CEO
OWASP NYNJ
11/17/2011
![Page 2: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/2.jpg)
ESAPI is a philosophy
Not a library
![Page 3: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/3.jpg)
“Secure the Application Portfolio”
![Page 4: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/4.jpg)
![Page 5: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/5.jpg)
“We Need Coverage!”
![Page 6: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/6.jpg)
Portfolio Coverage
Vu
ln C
ov
era
ge
![Page 7: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/7.jpg)
I love finding vulns
![Page 8: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/8.jpg)
• business layer access control issues
• internal identity management issues
• lack of a structured security error handling approach
• improper caching and pooling
• failure to log critical events
• logging sensitive information
• fail open security mechanisms
• many unusual forms of injection
• improper temporary storage of sensitive information
• encryption algorithm choice and implementation problems
• improperly protected credentials, keys, and other secrets
• backdoors, timebombs, easter eggs, and other malicious code
• all concurrency issues (race condition, toctou, deadlock, etc...)
• failure to use SSL to connect to backend systems
• lack of proper authentication with backend systems
• lack of access control over connections to backend systems
• lack of proper validation and encoding of data sent to and received from backend systems
• lack of proper error handling surrounding backend connections
• lack of centralization in security mechanisms
• other insane design and implementation patterns for security mechanisms
• code quality issues that lead to security issues (duplication, dead code, modularity, complexity, style)
• improper separation of test and production code
• lots more...
•
What’s in the
list of things
that you can’t
really scan
for?
![Page 9: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/9.jpg)
• Account lockout
• Posting unreviewed content
• Weakly hashed credentials
• Time of check, time of use
• Timing channel
• Weak password recovery
• Forced browsing
Tools don’t even
attempt to find
business logic
problems
![Page 10: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/10.jpg)
Is anything you can’t scan for a
business logic flaw?
Business Logic Flaw Scan-able
Flaw
![Page 11: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/11.jpg)
Need to
understand
business?
YES
NO
Not a
business
logic flaw
Business
logic flaw BLF
SCAN ?
![Page 12: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/12.jpg)
Vulnerabilities and Controls
![Page 13: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/13.jpg)
Missing and
broken
security
controls
Very
difficult to
find with
static tools
![Page 14: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/14.jpg)
NSA Center for Assured Software
• Seven tools
• 13,801 Test Cases
• 527 flaw types
• Various data and control flows
• 85% of problems were not “discriminated” by ANY tools
14
http://www.appsecusa.org/p/nsacas.pdf
![Page 15: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/15.jpg)
Results with False Alarms
15
![Page 16: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/16.jpg)
5|0|8|http://tester:8888/testapp
/|9E4CB3D5635C548906BFB576DD18C7
10|com.test.app.client.GreetingS
ervice|greetServer|[Ljava.lang.S
tring;/2600011424|hi|there|blah|
1|2|3|4|1|5|5|3|6|7|8|%26ping%20
-n%2020%20127.0.0.1%26
Ajax
Web Services
Serialized Objects
Mobile
WebSocket
Penetration testing
is about to get a
LOT harder.
![Page 17: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/17.jpg)
The fastest cheapest way to
get vulnerability coverage
Static
Analysis Manual Code
Analysis
Dynamic
Analysis
Manual
Testing
Threat
Modeling
Architecture
Review
![Page 18: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/18.jpg)
Vulnerability
coverage is
hard.
![Page 19: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/19.jpg)
Portfolio
Coverage
![Page 20: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/20.jpg)
1000 apps
x
1 week
=
$10m
It takes a
village
week*
* For any verification of risks you actually care about
![Page 21: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/21.jpg)
“Finding”
1x
“Fixing”
4x
Invisible Cost
![Page 22: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/22.jpg)
10,000 vulns
x
( $1,000 to find
+
$4,000 to fix )
=
$50m
* Static guys say 10-40 “vulns” per kloc
![Page 23: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/23.jpg)
2000 vulns * $5,000 = $10m / year
Changed Code
New Code
![Page 24: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/24.jpg)
Security Verification Docket
* Budget
* Resources
* Planning
New and
Changed
Applications
Legacy
Applications
(Periodic)
![Page 25: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/25.jpg)
![Page 26: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/26.jpg)
vFlow =
Rate of fixed
vulnerabilities
Rate of new
vulnerabilities –
![Page 27: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/27.jpg)
Manual Scan
Spend Pray
Reactive
Portfolio
Assurance
Strategies
![Page 28: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/28.jpg)
Portfolio
coverage is
hard.
![Page 29: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/29.jpg)
Rigor
Coverage
![Page 30: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/30.jpg)
How sure are you that the
application isn’t at risk from
that vulnerability?
Scan
Manual
Architecture
Malicious
Match the level of rigor to
the threat and inherent risk
![Page 31: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/31.jpg)
What’s your assurance case?
Malicious Review
Architecture Review
Manual Testing
Code Review
Dynamic Scan
Static Analysis
Blackbox Test
Independence?
Automatic?
Evidence?
Process?
How Long?
How?
Who?
![Page 32: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/32.jpg)
https://www.owasp.org/index.php/ASVS
![Page 33: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/33.jpg)
Rigor
coverage is
really hard.
![Page 34: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/34.jpg)
“Reactive approaches
to appsec don’t scale”
– OR –
“You can’t hack
yourself secure”
![Page 35: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/35.jpg)
A different
approach.
![Page 36: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/36.jpg)
![Page 37: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/37.jpg)
XSS Coding Pattern Instances Exploitability Total
Escape attribute false 72 10% 7
Repopulated form input 3123 43% 1343
Simple echoed input 852 86% 733
Untrusted data in JavaScript 5487 4% 219
Untrusted data in comment 251 15% 38
Untrusted session attribute 3852 4% 154
Untrusted eval 388 1% 4
Generated JavaScript 70 8% 6
Use of untrusted URL 10916 3% 327
Total Projected XSS 2831
![Page 38: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/38.jpg)
ESAPI
Antipatterns
Controls
eLearning
Metrics
XSS
Only “Hard” XSS
![Page 39: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/39.jpg)
![Page 40: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/40.jpg)
Application Portfolio
Less Critical More Critical
Co
ve
rag
e /
Ass
ura
nc
e
Scan
Scan
Scan
De
ep
Re
vie
w
Standard
Controls Patterns
![Page 41: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/41.jpg)
41
Strong simple
security controls for
every developer
![Page 42: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/42.jpg)
Goal:
Secure the
Portfolio
Reactive
Scale up verification
ESAPI
Scale down problem
space
![Page 43: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/43.jpg)
![Page 44: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/44.jpg)
• Strong?
• Simple?
• Method?
• Service?
• Standardized?
• Centralized?
• Externalized?
• Automatic?
• Manageable?
• Auditable?
• Assurance?
![Page 45: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/45.jpg)
ESAPI Scale
Easier Standards
Easier Architecture
Easier Development
Easier Training
Easier Verification
Easier Remediation
![Page 46: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/46.jpg)
Before
2 1
3 4
ESAPI
Portfolio
Assurance
Strategy
A few
controls
Standard
controls
Ahead of the
curve
![Page 47: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/47.jpg)
Technical
* Provides Controls
* Speeds Development
Cultural
* Security Engaged
* Breaks Addiction
![Page 48: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/48.jpg)
![Page 49: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/49.jpg)
Develop One
Standard Control
Verify Security
Pilot with Real
Projects
Refine Control
Build Out Guidance
Measure Success and
Expand
Understand Security
Architecture
80% design
20% implementation
![Page 50: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/50.jpg)
ESAPI Specification (In Progress)
ESAPI Application Programming Interface (API)
Jav
a
.NE
T
PH
P
CF
AS
P
Py
tho
n
Aja
x
Ru
by
Fo
rce
.co
m
C /
C+
+
An
dro
id
![Page 51: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/51.jpg)
![Page 52: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/52.jpg)
52
==Extra Slides==
![Page 53: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/53.jpg)
AppSec Training • Instructor-led and eLearning
Secure Development Support • Standards, architecture, controls, remediation
Verification Services • Code review, security testing, architecture review
AppSec Programs • Plan, team, process, metrics, communications
![Page 54: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/54.jpg)
![Page 55: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/55.jpg)
![Page 56: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/56.jpg)
56
Access Control
Authenti-cation and
Identity
App Firewall
Access Reference
Map
Output Escaping
Input Validation
Logging Exception Handling
Secure Config
Intrusion Detection
HTTP Utilities
Encryption and Signing
![Page 57: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/57.jpg)
Application Client
Browser Application Servers
Web Services
Databases
Mainframes Portals
Web Services
Web Servers
Client Tier Presentation Tier Component Tier Back-Office Tier
Enterprise Application Security Services
Security Infrastructure
Web Services
Legacy App
![Page 58: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/58.jpg)
ESAPI Scorecard
Authentication
Identity
Access Control * *
Input Validation
Output Escaping
Canonicalization
Encryption
Random Numbers
Exceptions
Logging
IntrusionDetection
Security Config
App Firewall
![Page 59: Jeff Williams, CEO OWASP NYNJ ESAPI... · 2012. 3. 30. · ESAPI Specification (In Progress) ESAPI Application Programming Interface (API) a.NET PHP CF ASP Python Ajax y.com C++ oid](https://reader036.vdocuments.site/reader036/viewer/2022071406/60fb6254c6b27e14b72ab416/html5/thumbnails/59.jpg)