Embed Size (px)
Citation preview
Securing Java Applications
Joseph Konieczka
Sales Engineer
BrixBits
Agenda
• Current State
• OWASP Top 10
• Guidance and Resources
• WebGoat, BodgeIt, ZAP, and Burp Suite
• BrixBits Security Analyzer
• Q & A
Are DEV SEC and OPS teams Communicating?
NGFW, WAF, IPS, and more!
Hackers have time. You don’t!
OWASP
• Open Web Application Security Project (OWASP)– https://www.owasp.org/index.php/Main_Page
• Top 10 Project– https://www.owasp.org/index.php/Top_10
• Cheat Sheets– https://www.owasp.org/index.php/Cheat_Sheets
• Application Security Verification Standard Project– https://www.owasp.org/index.php/Category:OWASP_Appli
cation_Security_Verification_Standard_Project
• Testing Guide– https://www.owasp.org/index.php/OWASP_Testing_Guide
_v4_Table_of_Contents
OWASP Top 10 2013 Application Security Flaws (new version currently under review)
• Injection• Broken Authentication and Session Management• Cross-Site Scripting (XSS)• Insecure Direct Object References• Security Misconfiguration• Sensitive Data Exposure• Missing Function Level Access Control• Cross-Site Request Forgery (CSRF)• Using Components with Known Vulnerabilities• Unvalidated Redirects and Forwards
https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013
INJECTION
Are your JARs vulnerable?
OWASP Java Resources
• https://www.owasp.org/index.php/Java_Security_Resources
• https://www.owasp.org/index.php/Category:OWASP_Java_Project
• https://www.owasp.org/images/8/89/OWASP_Top_10_2007_for_JEE.pdf
• http://www.slideshare.net/MasoudKalali/owasp-top-10-and-java-ee-security-in-practice
Coding Guidelines
• Oracle
– Secure Coding Guidelines• http://www.oracle.com/technetwork/java/seccodeguide-
139067.html
– Java Security Resource Center• http://www.oracle.com/technetwork/java/javase/overview/s
ecurity-2043272.html
• SEI CERT Oracle Coding Standard for Java
– https://www.securecoding.cert.org/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java
Standards
• National Vulnerability Database Common Vulnerability Scoring System [CVSS]
– https://nvd.nist.gov/cvss.cfm
• PCI SSC Data Security Standards Overview
– https://www.pcisecuritystandards.org/security_standards/
– Requirement 6: Develop and maintain secure systems and applications
Books
• Current– Iron-Clad Java: Building Secure Web Applications
by Jim Manico
• Slightly Dated– Java Coding Guidelines: 75 Recommendations for
Reliable and Secure Programs
– CERT Oracle Secure Coding Standard for Java
– Authors of both books: Fred Long, DhruvMohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda
Certification
• GIAC
– Secure Software Programmer-Java (GSSP-JAVA)• http://www.giac.org/certification/secure-software-
programmer-java-gssp-java
• (ISC)2
– CSSLP - Certified Secure Software Lifecycle Professional
• https://www.isc2.org/csslp/default.aspx
Security isn’t a laughing matter
It’s not MAGIC
But sometimes it is Rocket Science
Vulnerable Web Applications
• WebGoat– https://www.owasp.org/index.php/Category:OWASP_
WebGoat_Project
• The BodgeIt Store– https://github.com/psiinon/bodgeit
• Security Shepherd– https://www.owasp.org/index.php/OWASP_Security_
Shepherd
• Directory– https://www.owasp.org/index.php/OWASP_Vulnerabl
e_Web_Applications_Directory_Project/Pages/Offline
YouTube Tutorials
• OWASP ZAP Tutorial Videos
– https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB
• OWASP Appsec Tutorial Series
– https://www.youtube.com/channel/UC5xIEA6L0C2IG3iWgs8M2cA
• Many, many others
Call to action
• Log vulnerabilities (security defects) in your bug tracking system
• Consider certification
• Spread the word
– Other developers
– Systems administrators
– Business teams
TEAMWORK = Awesome!
http://brixbits.com/
![Securing Applications With CHECKMARX Source Code · PDF fileSecuring Applications With CHECKMARX Source Code Analysis. ... [a-zA-Z]+)* •(a ... –Java/JavaScript based browsers](https://img.dokumen.tips/doc/110x75/5a788bec7f8b9aa2448d8702/securing-applications-with-checkmarx-source-code-applications-with-checkmarx.jpg)
