Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence against is to develop applications where security is incorporated as part of the software development lifecycle.
The OWASP Top 10 Proactive Controls project is designed to integrate security in the software development lifecycle. In this special presentation for PHPNW, based on v2.0 released this year, you will learn how to incorporate security into your software projects.
Recommended to all developers who want to learn the security techniques that can help them build more secure applications.
7. C1. Verify for Security Early and
Often
7
• Choose the level of security for your
application
• Security requirements and tests - OWASP ASVS
• Verify for Security Early and Often
(OWASP ZAP - continuous integration )
9. SQL injection example
9
$email=‘;- - @owasp.org;
$sql = UPDATE user set email=‘$email’ WHERE id=‘1’;
$sql = UPDATE user SET email=‘'; -- @owasp.org' WHERE
id=‘1’;
Becomes
11. PHP:
<?php
$stmt = $dbh->prepare(”Update users set
email = $_GET[‘email’] where id=$id”);
$stmt->execute();
Example of Query Parametrisation
C2. Control: Data Access Layer
11
How not to do it !
12. C2: How NOT to
$sql = ”Update users set email=$_GET[‘email’] where
id=$id”
This one string combines both the code and the input.
SQL parser cannot differentiate between code
and user input.
12
13. C2. Control: Data Access Layer
13
PHP: Query Parametrization - Correct Usage
<?php
$stmt = $dbh->prepare(”Update users set
email=:new_email where id=:user_id”);
$stmt->bindParam(':new_email', $email’);
$stmt->bindParam(':user_id', $id);
$stmt->execute();
20. C4: Example of Validations
20
• GET / POST data (including hidden fields )
• File uploads
• HTTP Headers
• Cookies
• Database
21. C4: Controls
21
PHP filter extension, available as standard since
v5.2
Example of both validation and sanitisation :
<?php
$sanitised_url = filter_var($url, FILTER_SANITIZE_URL);
if (filter_var($sanitised_url, FILTER_VALIDATE_URL)) {
echo “This is a valid URL.”;
}
22. Input Validation Prevents 2nd Order
SQL Injection
Register form
• Two users : “john” and “john’ - - “
• Username value “john’ –-” becomes the
sql injection payload
22
john’- -Username
Password
23. Change password form:
Logged as john’ - -
2nd Order SQL Injection Example
23
Current Password
New Password
New Password
24. 2nd Order SQL Injection Example
UPDATE users SET password='123 ' WHERE
username='john'--' and password=‘abc'
UPDATE users SET password='123 ' WHERE
username='john'
24
Becomes
25. 25
Proactive Control Risks prevented
C4. Validate All Input A1. Injection
A3. XSS
A10. Unvalidated
redirects & forwards
28. C5: Best practices
• Secure Password Storage
• Multi-Factor Authentication
• Secure Password Recovery Mechanism
• Transmit sensitive data only over TLS (v1.2)
• Error Messages
• Prevent Brute-Force Attacks
28
29. C5. PHP Password storage
• password_hash(“my_password”)
• since php v5.5
• compatibility library for versions <5.5
29
30. C5. Password storage – How Not To
$password=bcrypt([salt] + [password],
work_factor);
$loginkey =md5(lc([username]).”::”.lc([password]))
Be consistent when storing sensitive data!
30
31. C5. Forgot Password
Forgot password design:
1). Ask one or more security questions
2). Send the user a randomly generated token
3). Verify token in same web session.
4). Change password.
Resources
https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
31
32. Error message for valid user
Error messages = be identical on both HTTP and HTML.
How not to do it !
Error message for not-registered user
C5. Error messages
32
33. 33
Proactive Control Risks prevented
C5. Establish Identity
and Authentication
Controls
A2. Broken
Authentication and
Session Management
35. C6: Best Practices
• Deny by default
• Least privilege
• Force all requests to go through access control checks
• Check on the server when each function is accessed
35
36. C6: Role vs Resource based ACLs
Resource based
if (user.isPermitted("project:view:123"))
{
//show the project report button
} else {
//don't show the button
}
36
Role based
if (user.hasRole("Project Manager") )
{
//show the project report button
} else {
//don't show the button
}
if (user.hasRole("Project Manager")
|| user.hasRole("Admin") ) {
//show the project report button
} else {
//don't show the button
}
37. 37
Proactive Control Risks prevented
C6: Implement
Appropriate Access
Controls
A4. Insecure Direct
Object References
A7. Missing Function
Level Access Control
39. C7 Controls: Data in transit
Data in transit: HTTPS
• Confidentiality: Spy cannot view your data
• Integrity: Spy cannot change your data
• Authenticity: Server you visit is the right one
39
MITM Protection - HSTS
• HTTPS + Strict Transport Security Header
40. C7 Controls: Data at rest
1. Algorithm
•AES (Advanced Encryption Standard )
2. Secure key management
3. Adequate access controls and auditing
40
42. New Website
42
C1
Verify for Security Early and Often
C3
Encode Data
C4
Validate Input
C6
Access Controls C5
Authentication
C7
Protect Data
C2
Parametrize Queries