Upload
karah
View
65
Download
0
Embed Size (px)
DESCRIPTION
The OWASP Enterprise Security API. Jeff Williams OWASP Foundation Chair [email protected] Aspect Security CEO [email protected]. The Challenge…. Your enterprise has hundreds of applications Every one of them needs: - PowerPoint PPT Presentation
Citation preview
The OWASP Foundation
OWASP & WASC AppSec
2007 Conference
San Jose – Nov 2007
http://www.owasp.org/http://www.webappsec.org/
Copyright © 2007 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/
The OWASPEnterprise Security API
Jeff WilliamsOWASP Foundation [email protected]
Aspect Security [email protected]
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
The Challenge…
Your enterprise has hundreds of applications
Every one of them needs:Authentication, access control, input validation,
encoding, encryption, logging, error handling, etc…
You can use these building blocks:Log4j, Reform, ACEGI, Struts, Stinger, Spring,
Validator, Jasypt, JCE, JAAS, Cryptix, BouncyCastle, Anti-XSS, HDIV, xml-dsig, xml-enc, lots lots more….
2
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Java LoggingJava Logging
The Challenge…
3
ReformReform
ACEGIACEGIStrutsStruts
StingerStinger
Anti-XSSAnti-XSS
BouncyCastleBouncyCastle
SpringSpring
Log4jLog4j
CommonsValidatorCommonsValidator
JasyptJasypt
JCEJCE
JAASJAASCryptixCryptix
HDIVHDIVxml-dsigxml-dsig
xml-encxml-enc
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Philosophy
Using security controls is different from buildingAll the security guidelines, courses, tutorials,
websites, books, etc… are all mixed up because everyone builds their own controls
Most developers shouldn’t build security controlsWhen to use a controlHow to use a controlWhy to use a control (maybe)
Most enterprises need the same set of calls4
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Design
Only include methods that…Are widely useful and focus on the most risky areas
Designed to be simple to understand and use Interfaces with concrete reference implementation Full documentation and usage examples
Same basic API across common platforms Java EE, .NET, PHP, others?Useful to Rich Internet Applications?
5
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Architecture Overview
6
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Create Your ESAPI Implementation
Your Security ServicesWrap your existing libraries and servicesExtend and customize your ESAPI
implementationFill in gaps with the reference implementation
Your Coding GuidelineTailor the ESAPI coding guidelinesRetrofit ESAPI patterns to existing code
7
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Frameworks and ESAPI
ESAPI is NOT a framework Just a collection of security functions, not “lock in”
Frameworks already have some securityControls are frequently missing, incomplete, or
wrong
ESAPI Framework Integration ProjectWe’ll share best practices for integratingHopefully, framework teams like Struts adopt
ESAPI
8
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Project Plan and Status
9
2002 – Start Collecting
9/07 – Sneak Peek
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Quality
10
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Handling Authentication and Identity
Users
11
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Authenticator
Key MethodscreateUser(accountName, pass1, pass2)generateStrongPassword()getCurrentUser() login(request, response) logout()verifyAccountNameStrength(acctName)verifyPasswordStrength(newPass, oldPass)
Use threadlocal variable to store current User Automatically change session on login and logout
12
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
User
Key MethodschangePassword(old, new1, new2) disable() enable() getAccountName() getScreenName() getCSRFToken()getLastFailedLoginTime() getLastLoginTime()getRoles() isInRole(role) isEnabled() isExpired() isLocked() loginWithPassword(password, request, response) resetCSRFToken() resetPassword()verifyCSRFToken(token)
13
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Enforcing Access Control
FunctionChec
k
14
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
AccessController
Key Methods isAuthorizedForData(key) isAuthorizedForFile(filepath) isAuthorizedForFunction(functionName) isAuthorizedForService(serviceName) isAuthorizedForURL(url)
Reference Implementation (not required) /admin/* | admin | allow | admin access to
/admin /* | any | deny | default deny rule
15
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Handling Direct Object References
Indirect
Reference
Direct Refere
nce
http://app?file=7d3J93
Report123.xls
16
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
AccessReferenceMap
Key MethodsgetDirectReference(indirectReference)getIndirectReference(directReference) iterator()update(directReferences)
Examplehttp://www.ibank.com?file=report123.xlshttp://www.ibank.com?file=a3nr38
17
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Validating and Encoding Untrusted Input
EncodeForHTML
Validate
18
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Validator
Key Methodscanonicalize(input), normalize(input) isValidFileUpload(filepath, filename, content)getValidDataFromBrowser(type, input) isValidDataFromBrowser(type, input) isValidHTTPRequest (request) isValidRedirectLocation(location) isValidSafeHTML(input), getValidSafeHTML(input)safeReadLine(inputStream, maxchars)
Canonicalization is really important always ignored
Global validation of HTTP requests19
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
<input name=“test” value=“test” onblur=“alert(‘xss’)”>
%26lt;
20
Decode This
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Encoder
21
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Enhancing HTTP
Add CSRF Token
Secure Cookies
Secure Redirect
No Cache Headers
Verify CSRF Token
Safe Request Logging
Safe File Upload
Add Safe Header
22
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
HTTPUtilities Key Methods
addCSRFToken(href), checkCSRFToken(href)addSafeCookie(name, value, age, domain, path) addSafeHeader(header, value)changeSessionIdentifier()getFileUploads(tempDir, finalDir) isSecureChannel()killCookie(name)sendSafeRedirect(href)setContentType()setNoCacheHeaders()
Safer ways of dealing with HTTP, secure cookies 23
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Encryptor
Key Methodsdecrypt(ciphertext) encrypt(plaintext)hash(plaintext, salt) loadCertificateFromFile(file)getTimeStamp()seal(data, expiration) verifySeal(seal, data) sign(data) verifySignature(signature, data)
Simple master key in configuration Minimal certificate support
24
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
EncryptedProperties
Key MethodsgetProperty(key)setProperty(key, value) keySet() load(inputStream) store(outputStream, comments)
Simple protected storage for configuration data
Main program to preload encrypted data!
25
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Randomizer
Key MethodsgetRandomGUID() getRandomInteger(min, max) getRandomReal(min, max) getRandomString(length, characterSet)
Several pre-defined character setsLowers, uppers, digits, specials, letters,
alphanumerics, password, etc…
26
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Exception Handling
EnterpriseSecurityExceptionAccessControlException(userMsg, logMsg)AuthenticationException(userMsg, logMsg)AvailabilityException(userMsg, logMsg)CertificateException(userMsg, logMsg)EncodingException(userMsg, logMsg)EncryptionException(userMsg, logMsg)ExecutorException(userMsg, logMsg) IntrusionException(userMsg, logMsg)ValidationException(userMsg, logMsg)
Sensible security exception framework27
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Logger
Key MethodsgetLogger(applicationName,moduleName) formatHttpRequestForLog(request, sensitiveList) logCritical(type, message, throwable) logDebug(type, message, throwable) logError(type, message, throwable) logSuccess(type, message, throwable) logTrace(type, message, throwable) logWarning(type, message, throwable)
All EASPI exceptions are automatically logged
28
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Detecting Intrusions
Log, Logout, and Disable
29
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
IntrusionDetector
Key MethodsaddException(exception) addEvent(event)
ModelEnterpriseSecurityExceptions automatically addedSpecify a threshold for each event type
org.owasp.esapi.ValidationException.count=3 org.owasp.esapi.ValidationException.interval=3
(seconds) org.owasp.esapi.ValidationException.action=logout
Actions are log message, disable account
30
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
SecurityConfiguration
Customizable…Crypto algorithmsEncoding algorithmsCharacter setsGlobal validation rulesLogging preferences Intrusion detection thresholds and actionsEtc…
All security-relevant configuration in one place
31
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Coverage
32
OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007
Closing Thoughts
I have learned an amazing amount (I thought I knew)
An ESAPI is a key part of a balanced breakfastBuild rqmts, guidelines, training, tools around your
ESAPI
Secondary benefitsMay help static analysis do betterEnables security upgrades across applicationsSimplifies developer training
Next year – experiences moving to ESAPI33