If you can't read please download the document
Upload
joachim-van-der-auwera
View
453
Download
0
Embed Size (px)
Citation preview
Joachim Van der Auwera
ASVS
in a business application
Who am I
Disclaimer
ASVS v2
Application Security Verification Standard
The primary aim of the OWASP Application Security Verification Standard (ASVS) is to normalize the range in the coverage and level of rigor available in the market when it comes to performing web application security verification.
OWASP
Why ?
Who knows OWASP?
OWASP -> Open Web Application Security Project Improve security of software Make software security visible -> informed decisions about true software security risks
ASVS -> practical reference to think about security
Questions -> raise hand personal opinion - discuss
Four levels
Cursory : optional, some kind of verification, custom requirements
Opportunitic Requirements can be verified using minimal-to-low effort Protection against simple attacks or easy-to-exploit vulnerabilities
Standard Includes OWASP Top 10 and business logic sensitive applications, b2b applicatons
Advanced Include more difficult to exploit vulnerabilities Protect against determined attackers - also check design, reqs + - security stuff (cross cutting) -> centralized implementation - all validation should use whitelist approach - input validation only second line of defense, parameterization and output encoding is first Critical app, life and safety, substantial damage, sensitive assets
Scope + The code for the application or release needs to comply with req Frameworks/libraries/services verification is optional (+) certification when checking those Not all reqs applicable as no code available -
Level for each verification
13 security areas
Various requirements for each area, each indicates with the levels at which the requirement needs to be met
190 requirements, of which 54 at level 1
Verify
[ver-uh-fahy]1. to prove the truth of, as by evidence or testimony; confirm; substantiate: Events verified his prediction.2. to ascertain the truth or correctness of, as by examination, research, or comparison: to verify a spelling.3. to act as ultimate proof or evidence of; serve to confirm.4. Law. to prove or confirm (an allegation). to state to be true, especially in legal use, formally or upon oath.
All requirements use Verify... wording.
Automated testing is not enough.Trusting your developers is not enough.Trusting the libraries / frameworks / tooling is not enough
Authentication
Verify all pages/resources require authentication except specific
Verify that all authentication decisions are logged
Verify all account password are salted account specific and use bcrypt, scrypt or PBKDF2 before storing
Credentials and identity information should not traverse un/weakly encrypted links
No clear text password sent to user
Username enumeration not possible in login/reset/forgot account
No default passwords (e.g. admin/password)
1
2
3
1
2
2
1
1
1
1
Authentication continued
Verify password entry fields allow or encourage the use of passphrases, and do not prevent long passphrases or highly complex passwords being entered, and provide a sufficient minimum strength to protect against the use of commonly chosen passwords.
Forget password should not lock account
No shared knowledge questions/answers (secret questions)
Allow configuration to disallow x previous passwords
Require two-factor authentication as per risk profile
1
2
3
2
2
2
2
3
Session Management
Verify that sessions timeout after a certain period of inactivity
Session timeout after (config) maximum time regardless of activity
Session id never disclosed other than in cookie headers. No URL rewriting of session cookies.
Verify session id is changed upon re-authentication
Session tokens should be sufficiently long and random to prevent guessing attacks
Cookie path should be restrictive, domain not set (unless for business requirement like SSO)
HttpOnly should be set on cookie, Secure set when using https
No duplicate concurrent users originating from different machines
1
2
3
1
2
1
2
2
2
1
2
Acces Control
Users can only access functions or services for which they possess specific authorization
Verify directory browsing disabled unless deliberately desired
All access controls are enforced on the server side
User, data, policy information used by access controls cannot be manipulated unless specifically authorized
Log all access control decisions (success and failure)
Require use of strong CSRF tokens
Aggregate access control protection e.g. throttle requests to prevent the entire database from being scraped by an individual user.
1
2
3
1
1
1
2
2
1
2
RESTEasy interceptor
@Component@Provider@ServerInterceptorpublic class SecurityPreProcessInterceptor implements ContainerRequestFilter {
@Override public void filter( ContainerRequestContext requestContext) throws IOException { // .... }
}
Require access annotation
if (requestContext instanceof PostMatchContainerRequestContext) { PostMatchContainerRequestContext pmcrc = (PostMatch...) requestContext; Annotation[] annotations = pmcrc.getResourceMethod().getMethodAnnotations(); if (!contains(annotations, PermitAll.class)) { if (contains(annotations, RolesAllowed.class)) { RolesAllowed ra = get(annotations, RolesAllowed.class); checkUserHasRole(requestContext, ra.value()); } else { throw new AuthException("Missing security + constraints on endpoint. " + pmcrc.getResourceMethod().getMethod()); } }}
Malicious Input Handling
Verify all input validation or encoding done server side
Log all input validation failures
No SQL, LDAP, OS command injection
All untrusted data output as HTML should be escaped
Verify defenses against HTTP parameter pollution attacks
1
2
3
1
3
1
1
2
Cryptography at Rest
All cryptographic functions to protect secrets done server side
Cryptographic modules validated agains FIPS 140-2 or an equivalent standard
Verify there is a policy for managing cryptographic keys. Verify that policy is properly enforced.
1
2
3
2
3
2
Error Handling and Logging
No sensitive data in error messages or stack traces (including session id or sensitive information)
Verify that all authentication decisions are logged
Each log event should include timestamp, severity, indication if security relevant (in mixed logs), identity, request IP address, success/failure, description
Do not log sensitive data that can help an attacker. Presence and length may be logged.
Log before executing a transaction, if logging fails the application fails safely. Important for integrity and non-repudiation.
1
2
3
1
2
2
3
2
Data Protection
Disabled client-side caching and autocomplete for sensitive fields
Sensitive data in HTTP body (not request parameters)
Ensure proper caching of sensitive data
Minimize number of parameters sent to untrusted systems e.g. hidden fields, cookies, ajax variables, header values
Alert and detect abnormal number of requests eg for screen scraping
1
2
3
1
1
2
3
3
Communications Security
Valid SSL certificates, path from root CA and validity
Failed TLS communications should not fallback to HTTP
1
2
3
1
3
HTTP Security
Every HTTP response should include a safe character set (e.g. UTF-8)
No detailed version information in HTTP headers
1
2
3
1
2
Malicious Controls
All checks are level 3Verify no malicious code in code developed or modified
Integrity of interpreted code, libraries, executables, configuration files verified using checksums or hashes
Sensitive data rapidly sanitized from memory when no longer needed
1
2
3
3
3
3
Business Logic
No spoofing of high value transactions
No tampering with high value business logic parameters like price
Verify defensive measures against repudiation attacks such as verifiable and protected transaction logs, or real-time monitoring of activities and trransactions for anomalies
Detection and governor controls to protect against brute force or denial of service attacks
Business limits and enforces them in trusted location, e.g. max $10/day for new SIM users, or limit patient access to max # patients you can treat in a day, or max 100 new users a day in a forum, or not allowing posts before a users account has been verified
1
2
3
2
2
2
2
2
Files and Resources
Verify the application does not execute uploaded data from untrusted sources
1
2
3
2
Mobile
Verify that unique device ID (UDID) is not used as security controle
Don't store sensitive data on shared resources (eg shared folder)
No sensitive data in SQLite database on device
No hard-coded secret keys or passwords in executable
Verify permissions requested and resources authorized (AndriodManifest.xml, iOS entitlements)
Obfuscate binary
No sensitive data logged (crash log, system log or filesystem)
Use certificate pinning to prevent proxying of app data
Sensitive data should be cryptographically secured when stored
Overwrite sensitive data in memory (mitigate damage from memory analysis attack)
1
2
3
1
1
1
2
2
3
2
3
3
3
Authentication verification
Null checks
Domain lookup
Type conversion
Still boilerplate !
Gender gender;if (StringUtils. isEmpty(to.getGender)) { Gender = null;} else { Gender = Gender.valueOf( to.getGender());}res.setGender(gender);
Think about security in your application
https://www.owasp.org/
@joachimvda
@eliwan_be
@joachimvda
@eliwan_be
@joachimvda
#DV13jTransfo
@joachimvda
#DV13jTransfo
Demo
@joachimvda
#DV13jTransfo