121 desarrollando aplicaciones-seguras_con_gene_xus
TRANSCRIPT
Desarrollando aplicaciones seguras con Genexus
Aplicaciones seguras
Conciencia
Competencia
Plataforma sólida
Herramientas
Aplicaciones seguras
Autorización/Autenticación
Review
Aplicaciones seguras
Conciencia
SELECT SUM(salary) FROM employeesWHERE salary > 25000
SELECT salary FROM employees; OPEN cursor; FETCH NEXT FROM cursor; WHILE ….
IF salary > 25000x = x + salary;
FETCH NEXT FROM cursor; …
for eachwhere customerId>1
…endfor
for eachif customerId>1 …endif
endfor
BA
Aplicaciones seguras
Competencia
• www.owasp.org• Principios• Ataques y vulnerabilidades• Top 10
OWASP - Ataques• A• Account lockout attack• Argument Injection or Modification• Asymmetric resource consumption (
amplification)• B• Binary planting• Blind SQL Injection• Blind XPath Injection• Brute force attack• Buffer overflow attack• C• CSRF• Cache Poisoning• Cash Overflow• Code Injection• Command Injection• Comment Injection Attack• Cross Frame Scripting• Cross Site History Manipulation (XSHM)• Cross Site Tracing• Cross-Site Request Forgery (CSRF)• Cross-User Defacement• Cross-site Scripting (XSS)• Cryptanalysis• C cont.• Custom Special Character Injection• D• Denial of Service
• Direct Dynamic Code Evaluation ('Eval Injection')
• Direct Static Code Injection• Double Encoding• F• Forced browsing• Format string attack• Full Path Disclosure• H• HTTP Request Smuggling• HTTP Response Splitting• L• LDAP injection• M• Man-in-the-browser attack• Man-in-the-middle attack• Mobile code: invoking untrusted mobile code• Mobile code: non-final public field• Mobile code: object hijack• N• Network Eavesdropping• O• One-Click Attack• Overflow Binary Resource File• P• Page Hijacking• Parameter Delimiter• P cont.• Path Manipulation
• Path Traversal• R• Regular expression Denial of Service - ReDoS• Relative Path Traversal• Repudiation Attack• Resource Injection• S• SQL Injection• Server-Side Includes (SSI) Injection• Session Prediction• Session fixation• Session hijacking attack• Setting Manipulation• Special Element Injection• Spyware• T• Traffic flood• Trojan Horse• U• Unicode Encoding• W• Web Parameter Tampering• Windows ::DATA alternate data stream• X• XPATH Injection• XSRF
OWASP - Vulnerabilidades• ASP.NET Misconfigurations• Access control enforced by presentation layer• Addition of data-structure sentinel• Allowing Domains or Accounts to Expire• Allowing password aging• Assigning instead of comparing• Authentication Bypass via Assumed-Immutable Data• B• Buffer Overflow• Buffer underwrite• Business logic vulnerability• C• CRLF Injection• Capture-replay• Catch NullPointerException• Comparing classes by name• Comparing instead of assigning• Comprehensive list of Threats to Authentication Procedures
and Data• Covert timing channel• Cross Site Scripting Flaw• D• Dangerous Function• Deletion of data-structure sentinel• Deserialization of untrusted data• Directory Restriction Error• Double Free• Doubly freeing memory• Duplicate key in associative list (alist)• E• Empty Catch Block• Empty String Password• F• Failure of true random number generator• Failure to account for default case in switch• Failure to add integrity check value• Failure to check for certificate revocation• Failure to check integrity check value• Failure to check whether privileges were dropped successf
ully• Failure to deallocate data• Failure to drop privileges when reasonable• Failure to encrypt data• Failure to follow chain of trust in certificate validation• Failure to follow guideline/specification• Failure to protect stored data from modification• Failure to provide confidentiality for stored data• Failure to validate certificate expiration• Failure to validate host-specific certificate data• File Access Race Condition: TOCTOU• Format String• G
• Guessed or visible temporary file• H• Hard-Coded Password• Heap Inspection• Heap overflow• I• Ignored function return value• Illegal Pointer Value• Improper Data Validation• Improper cleanup on thrown exception• Improper error handling• Improper string length checking• Improper temp file opening• Incorrect block delimitation• Information Leakage• Information leak through class cloning• Information leak through serialization• Insecure Compiler Optimization• Insecure Randomness• Insecure Temporary File• Insecure Third Party Domain Access• Insecure Transport• Insufficient Entropy• Insufficient Session-ID Length• Insufficient entropy in pseudo-random number generator• Integer coercion error• Integer overflow• Invoking untrusted mobile code• J• J2EE Misconfiguration: Unsafe Bean Declaration• K• Key exchange without entity authentication• L• Least Privilege Violation• Leftover Debug Code• Log Forging• Log injection• M• Member Field Race Condition• Memory leak• Miscalculated null termination• Misinterpreted function return value• Missing Error Handling• Missing XML Validation• Missing parameter• Multiple admin levels• Mutable object returned• N• Non-cryptographic pseudo-random number generator• Not allowing password aging• Not using a random initialization vector with cipher block ch
aining mode
• Null Dereference• O• OWASP .NET Vulnerability Research• Object Model Violation: Just One of equals() and hashCode
() Defined• Often Misused: Authentication• Often Misused: Exception Handling• Often Misused: File System• Often Misused: Privilege Management• Often Misused: String Management• Omitted break statement• Open forward• Open redirect• Overflow of static internal buffer• Overly-Broad Catch Block• Overly-Broad Throws Declaration• P• PHP File Inclusion• PRNG Seed Error• Passing mutable objects to an untrusted method• Password Management: Hardcoded Password• Password Management: Weak Cryptography• Password Plaintext Storage• Poor Logging Practice• Portability Flaw• Privacy Violation• Process Control• Publicizing of private data when using inner classes• R• Race Conditions• Reflection attack in an auth protocol• Reflection injection• Relative path library search• Reliance on data layout• Relying on package-level scope• Resource exhaustion• Return Inside Finally Block• Reusing a nonce, key pair in encryption• S• Session Fixation• Sign extension error• Signed to unsigned conversion error• Stack overflow• State synchronization error• Storing passwords in a recoverable format• String Termination Error• Symbolic name not mapping to correct object• T• Template:Vulnerability• Truncation error• Trust Boundary Violation• Trust of system event data
• Trusting self-reported DNS name• Trusting self-reported IP address• U• Uncaught exception• Unchecked Error Condition• Unchecked Return Value: Missing Check against Null• Unchecked array indexing• Undefined Behavior• Uninitialized Variable• Unintentional pointer scaling• Unreleased Resource• Unrestricted File Upload• Unsafe JNI• Unsafe Mobile Code• Unsafe Reflection• Unsafe function call from a signal handler• Unsigned to signed conversion error• Use of Obsolete Methods• Use of hard-coded password• Use of sizeof() on a pointer type• Using a broken or risky cryptographic algorithm• Using a key past its expiration date• Using freed memory• Using password systems• Using referer field for authentication or authorization• Using single-factor authentication• Using the wrong operator• V• Validation performed in client• Vulnerability template• W• Wrap-around error• Write-what-where condition
OWASP Top 10
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
Aplicaciones seguras con GeneXus
Plataforma
• Mejoras en todas las versiones• Mejoras en todos los upgrades
• Proyecto interno de seguridad
Aplicaciones seguras
Conciencia
Competencia
Plataforma sólida
Herramientas
Aplicaciones seguras
Autorización/Autenticación
Review
OWASP Top 10
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
A1: Injection
Problema • Se inyectan comandos en una secuencia que ejecuta un
intérprete• SQL
• “Select * from Customer where CustomerStatus=“+&var• &var = “’activo’ OR 1=1”
Solución• GX: arma statements parametrizados
• “Select * from Customer where CustomerId=?”• GX: selects dinámicos=encoding• Progamando: Evitar comando SQL con parámetros
A2: Cross-Site Scripting (XSS)
Problema • “Raw info” enviada al browser
• de la DB• reflected• Jscript
Solución• GX: Encoding de todo lo que va al cliente• Programando: Evitar Format=HTML
A3: Broken Authentication and Session Management
Problema • Sesión:
• “Cookiless sessions”• Expiración de la sesión
• Autenticación: • Credenciales en los parámetros
Solución • Proteger credenciales • Evitar “cookieless sessions”• Encrypt de los parámetros• Programando: Ajax security=High• GAM
A4: Insecure Direct Object References
Problema• Acceso a objetos no autorizados
• Referencias a objetos expuestas y no controladas• Común en URLs
Solución• Eliminar la referencia
• GX: Usar encriptación de parámetros• Control de acceso
• GAM
A5: Cross-Site Request Forgery (CSRF)
Problema • Autenticado y autorizado• Usuario mismo ejecuta el ataque sin darse
cuentaSolución• Encriptación de parámetros
• Token único por URL• Evitar HTML• Programando: evitar comandos LINK dinámicos
sin parámetros
A6: Security Misconfiguration
Problema• Problemas de configuración exponen a la aplicación.
Solución• Protocolo de seguridad al poner en producción • Conocer la plataforma• Configuración tiene que ser verificable
• Deshabilitar acceso innecesario• error reporting de asp.net. • puertos, páginas de prueba, usuarios de prueba,
passwords default, etc.
A7: Insecure Cryptographic Storage
Problema• Datos senibles
• Falla en identificar:• Objetos• Almacenamiento
• Falla en protegerlos• Encriptación débil• Claves mal protegidas
Solución• Evaluación de reisgo• GX: Claves de encriptación propias: application.key
A8: Failure to Restrict URL Access
Problema• Acceso no autorizado• No es suficiente con ocultar links y referencias
Solución• Control de acceso: autenticación y autorización• GX + GAM
A9: Insufficient Transport Layer Protection
Problema• Datos senibles
• Falla en identificar:• Objetos • Movimiento de información
• Falla en protegerlos• Encriptación débil• Certificados no verificados, calves mal protegidas
Solución• Evaluación de riesgo• Certificados verificados, buen manejo de claves
A10: Unvalidated Redirects and Forwards
Problema • Redireccionamiento en función de parámetros
Solución• Programando:
• Validar calls dinámicos por usuario• Si se usan, usarlos con parámetros
Herramientas
Review• Format=HTML• Falta encriptación de parámetros• Comandos SQL• Autorización• Comando LINK dinámico sin parámetros• …
Herramientas
Review = GXSScan• Format=HTML• Falta encriptación de parámetros• Comandos SQL• Autorización• Comando LINK dinámico sin parámetros• …
Herramientas
GAM = GeneXus Access Manager• Biblioteca integrada en GeneXus• Fácil de incorporar a la KB• Provee una solución a:• Autenticación• Autorización
Qué estamos haciendo nosotros
GX
Mejoras constantes
Heramientas para scan
GAM
Qué tienen que hacer ustedes
Conciencia Competencia Acción