owasp
DESCRIPTION
OWASP. The OWASP Enterprise Security API ( ESAPI ). ESAPI Mission. To ensure that strong simple security controls are available to every developer in every environment. Where Do Vulnerabilities Come From?. Controls Every Application Needs. Security Controls. Are Hard. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/1.jpg)
The OWASP Enterprise Security API( ESAPI )
OWASP
![Page 2: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/2.jpg)
To ensure thatstrong simple security
controls are available to every developer
in every environment
ESAPI Mission
![Page 3: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/3.jpg)
Where Do Vulnerabilities Come From?
![Page 4: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/4.jpg)
Controls Every Application Needs
Access Control
Authenti-cation and
Identity
App Firewall
Access Reference
Map
Output Escaping
Input Validation
LoggingException Handling
Secure Config
Intrusion Detection
HTTP Utilities
Encryption and Signing
![Page 5: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/5.jpg)
Security Controls
Are Hard
![Page 6: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/6.jpg)
Escaping Gone Wild Percent Encoding%3c%3C
HTML Entity Encoding
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
<<< <<<<<<<<<<<<<<<<<<<<<<<< <&lT&Lt<<&lT;≪<
JavaScript Escape\<\x3c\X3c\u003c\U003c\x3C\X3C\u003C\U003C
CSS Escape\3c\03c\003c\0003c\00003c\3C\03C\003C\0003C\00003C
Overlong UTF-8%c0%bc%e0%80%bc%f0%80%80%bc%f8%80%80%80%bc%fc%80%80%80%80%bc
US-ASCII¼
UTF-7+ADw-
Punycode<-
<
![Page 7: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/7.jpg)
Cheaper, Better, Faster
![Page 9: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/9.jpg)
attacks
threats exploits
vulnerabilities
RiskWorld risks
controls
AssuranceWorld
accountability
pentest
scanning
assurance
patterns
verification architecture
policy
impact
flaws
metrics
visibility
completeness
![Page 10: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/10.jpg)
ESAPI Scorecard
Authentication Identity Access Control * * Input Validation Output Escaping Canonicalization Encryption Random Numbers Exceptions Logging IntrusionDetection Security Config App Firewall
![Page 11: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/11.jpg)
Assurance
![Page 12: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/12.jpg)
Deceptively Tricky Problems for Developers
1. Input Validation and Output Encoding2. Authentication and Identity3. URL Access Control4. Business Function Access Control5. Data Layer Access Control6. Presentation Layer Access Control7. Errors, Logging, and Intrusion Detection8. Encryption, Hashing, and Randomness
Lots more…
![Page 13: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/13.jpg)
Stopping InjectionQuick and Dirty
Ad Hoc Escaping
Generic Validation
![Page 14: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/14.jpg)
Stopping InjectionEnterprise
Automatic Escaping
Managed Specific Validation
Managed Generic Validation
![Page 15: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/15.jpg)
Jeff WilliamsAspect Security CEO
OWASP Foundation [email protected]://www.aspectsecurity.com
twitter @planetlevel410-707-1487
Questions?
![Page 16: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/16.jpg)
![Page 17: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/17.jpg)
Stopping InjectionQuick and Dirty
Ad Hoc Escaping
Generic Validation
![Page 18: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/18.jpg)
Stopping InjectionStrong Application
Mandatory Escaping
Specific Validation
Generic Validation (+can)
![Page 19: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/19.jpg)
ESAPI Web App Firewall (WAF)
attacker
userESAPI
WAF
Critical Application?
PCI requirement?3rd party
application?Legacy
application?Incident response?
Virtual patchesAuthentication rulesURL access control
Egress filteringAttack surface reduction
Real-time security
![Page 20: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/20.jpg)
AuthN and AuthZQuick and Dirty
User in Session
Simple Authentication Model
Ad Hoc Authorization
![Page 21: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/21.jpg)
AuthN and AuthZStrong Application Identity Everywhere
Automatic CG Authorization
Alternate Authentication
Automatic FG Authorization
![Page 22: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/22.jpg)
AuthN and AuthZEnterprise AuthZ Policy Management
AuthZ Entitlement Mgmt
Identity Management
![Page 23: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/23.jpg)
Applications Enjoy Attacks
YouTube
Live Search
Blogger
![Page 24: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/24.jpg)
Accountability and DetectionQuick and Dirty
Ad Hoc Security Logging
Security Exceptions (2 msgs)
Ad Hoc Authorization
![Page 25: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/25.jpg)
Accountability and DetectionStrong Application Intrusion Detection
Automatic Security Logging
![Page 26: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/26.jpg)
Accountability and DetectionEnterprise Log Policy Management
Dynamic Incident Response
Centralized Logging
![Page 27: OWASP](https://reader035.vdocuments.site/reader035/viewer/2022062410/56816397550346895dd49036/html5/thumbnails/27.jpg)
ESAPI Swingset