[wroclaw #3] security fix or workaround
TRANSCRIPT
![Page 1: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/1.jpg)
Security fix or workaround: which way to select?
Bohdan Serednytskyi, OWASP Lviv
![Page 2: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/2.jpg)
•OWASP Lviv Chapter•Security Consulting Team at SoftServe
We are…
![Page 3: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/3.jpg)
Communication with client
Project Execution
Delivering Results
Consulting Dev Team in issues fixing
Usual Project Flow
![Page 4: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/4.jpg)
Tools will solve all our problems
Clients Vision
![Page 5: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/5.jpg)
https://www.outpost24.com/wp-content/uploads/2014/12/Picture1-1024x610.jpg
Automated Tools Effectiveness
![Page 6: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/6.jpg)
• All application security tool vendors’ claims put together cover only 45% of the known vulnerability types (over 600 in CWE).• They also found very little overlap
between tools, so to get 45% you need them all (assuming their claims are true)
MITRE Claims
![Page 7: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/7.jpg)
Case with One Educational Application
![Page 8: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/8.jpg)
Risk VulnerabilityCritical CROSS-SITE REQUEST FORGERY (CSRF)
CROSS-SITE SCRIPTING (STORED)High SESSION TOKEN DOES NOT CHANGE AFTER LOGINMedium
USERLOGINID ENUMERATIONWEAK PASSWORD REQUIREMENTS
NO LOGOUT FUNCTION IMPLEMENTED
ACCOUNT ENUMERATION
IMPROPER ACCESS CONTROLSTUDENT CAN REVEAL TEACHERS LOGIN FROM SERVER RESPONSE
Low ERROR MESSAGES REVEAL SENSITIVE INFORMATION
INTERNAL IP ADDRESS DISCLOSURE
INSUFFICIENT PASSWORD HISTORY MANAGEMENT
Remediation Status
PARTIALLY FIXEDNEED IMPROVEMENTFIXEDFIXEDFIXED
FIXED
FIXED
FIXED
NOT FIXED
FIXED
FIXED
FIXED
Security Test Results
![Page 9: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/9.jpg)
XSS Vulnerability Fixing
‘});alert(1)”
Initial payload
Protection implemented by Developers Team\‘});alert(1)”
\‘});alert(1)”
Modified payload\\‘});alert(1)”
![Page 10: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/10.jpg)
CSRF and Information Leakage Fixing
![Page 11: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/11.jpg)
Best Practices
![Page 12: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/12.jpg)
Every security flaw is a process problem
![Page 13: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/13.jpg)
Security vulnerabilities are “patterned”.
![Page 14: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/14.jpg)
Security issue could be widespread amongst all code bases.
![Page 15: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/15.jpg)
Ensure that root cause analysis is used
Remove as many vulnerabilities of this type as is possible within the prescribed time frame or budget
Involve Security Expert
Recommendations
![Page 16: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/16.jpg)
Use Fast Fix Methods - WAFs
A security solution on the web application level which does not depend on the application itself
![Page 17: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/17.jpg)
Security Expert is not a Developer
![Page 18: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/18.jpg)
•OWASP Secure Coding Practices•OWASP Guide Project•OWASP Enterprise Security API•Microsoft Web Protection Library
Resources
![Page 19: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/19.jpg)
Security is a Journey
Not a Destination
![Page 20: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/20.jpg)
• Patching• Updating• Continuous Security
Monitoring• Regular Security Tests
![Page 21: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/21.jpg)
Questions?
![Page 22: [Wroclaw #3] Security fix or workaround](https://reader036.vdocuments.site/reader036/viewer/2022081604/587cfa4d1a28ab1e7e8b4ac9/html5/thumbnails/22.jpg)
Thank You!
http://owasp-lviv.blogspot.com/