2013 06-27-securecoding-en - jug pch
TRANSCRIPT
![Page 1: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/1.jpg)
Secure Coding for Java (an introduc3on)Java User Group Poitou-‐Charentes (Niort)
27 Juin 2013
Sébas3en [email protected] Leader OWASP France
Friday, June 28, 13
![Page 2: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/2.jpg)
http://www.google.fr/#q=sebastien gioria
‣OWASP France Leader & Founder & Evangelist
‣Innovation & Technology @ Advens
Twitter :@SPoint / @OWASP_France
2
‣Application Security group leader for the CLUSIF
‣Proud father of youngs kids trying to hack my digital life.
Ne vous inquietez pas c’est le seul slide en anglais, par contre il y aura des trucs d’écrits partout en bas...
Friday, June 28, 13
![Page 3: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/3.jpg)
ForeWords
• This is a presenta,on made from my own experience with some company using OWASP materials.
• Only the documents from OWASP wiki are OWASP officials (see hEps://www.owasp.org)
• Some extracts come from document I wrote as OWASP leader, this is why you could find it elsewhere.
5
Friday, June 28, 13
![Page 4: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/4.jpg)
• Applica,on Security :–where we are (no bullshit)–where we are (hopefully) going ?
• Using OWASP materials to secure code• Secure Coding principles
Agenda
Friday, June 28, 13
![Page 5: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/5.jpg)
Introduc3on
5
Friday, June 28, 13
![Page 6: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/6.jpg)
Why Applica0on Security ?
64
Friday, June 28, 13
![Page 7: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/7.jpg)
Why Applica0on Security ?
64
Your Application
been Hacked
Friday, June 28, 13
![Page 8: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/8.jpg)
Why Applica0on Security ?
64
Your Application
been Hacked YES
Friday, June 28, 13
![Page 9: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/9.jpg)
Why Applica0on Security ?
64
Your Application
been Hacked
NO
YES
Friday, June 28, 13
![Page 10: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/10.jpg)
Why Applica0on Security ?
64
Your Application
will be Hacked ;)
Your Application
been Hacked
NO
YES
Friday, June 28, 13
![Page 11: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/11.jpg)
Why Applica0on Security ?
64
Your Application
will be Hacked ;)
Your Application
been Hacked
YES
NO
YES
Friday, June 28, 13
![Page 12: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/12.jpg)
Why Applica0on Security ?
64
Your Application
will be Hacked ;)
Your Application
been Hacked
YES
NO
NO
YES
Friday, June 28, 13
![Page 13: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/13.jpg)
Why Applica0on Security ?
6
Let Me take you on the right way 4
Your Application
will be Hacked ;)
Your Application
been Hacked
YES
NO
NO
YES
Friday, June 28, 13
![Page 14: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/14.jpg)
Why Applica0on Security ?
6
My Application will be hacked !
Let Me take you on the right way 4
Your Application
will be Hacked ;)
Your Application
been Hacked
YES
NO
NO
YES
Friday, June 28, 13
![Page 15: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/15.jpg)
Why Applica0on Security ?
6
My Application will be hacked !
Let Me take you on the right way 4
Your Application
will be Hacked ;)
Your Application
been Hacked
YES
NO
NO
YES
NextStep
Friday, June 28, 13
![Page 16: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/16.jpg)
We are living in a Digital environment, in a Connected World
vMost of websites vulnerable to aTacks
vImportant % of web-‐based Business (Services, Online Store, Self-‐care, Telcos, SCADA, ...)
Why Applica0on Security ?
Age of An0virus Age of Network Security
Age of Applica0on Security
7
Friday, June 28, 13
![Page 17: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/17.jpg)
Consequences of bad or no security
–IdenPty theQ–Hardware theQ–IT downPme –Bad Media coverage–Financials loss–Customers loss–Legals/business penalty
8
Friday, June 28, 13
![Page 18: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/18.jpg)
What Verizon (PCI-‐DSS company) said ?
© Verizon 2012
9
Friday, June 28, 13
![Page 19: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/19.jpg)
What Verizon (PCI-‐DSS company) said ?
© Verizon 2012
9
Friday, June 28, 13
![Page 20: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/20.jpg)
What Verizon (PCI-‐DSS company) said ?
© Verizon 2012
9
Friday, June 28, 13
![Page 21: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/21.jpg)
What Verizon (PCI-‐DSS company) said ?
© Verizon 2012
9
Friday, June 28, 13
![Page 22: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/22.jpg)
What Verizon (PCI-‐DSS company) said ?
© Verizon 2012
9
Friday, June 28, 13
![Page 23: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/23.jpg)
What Verizon (PCI-‐DSS company) said ?
© Verizon 2012
9
Friday, June 28, 13
![Page 24: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/24.jpg)
What Verizon (PCI-‐DSS company) said ?
© Verizon 2012
9
Friday, June 28, 13
![Page 25: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/25.jpg)
© Verizon 2012
Verizon Study
10
Friday, June 28, 13
![Page 26: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/26.jpg)
© Verizon 2012
Verizon Study
10
Friday, June 28, 13
![Page 27: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/27.jpg)
© Verizon 2012
Verizon Study
10
Friday, June 28, 13
![Page 28: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/28.jpg)
© Verizon 2012
Verizon Study
10
Friday, June 28, 13
![Page 29: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/29.jpg)
© Verizon 2012
Verizon Study
10
Friday, June 28, 13
![Page 30: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/30.jpg)
© Verizon 2012
Verizon Study
10
Friday, June 28, 13
![Page 31: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/31.jpg)
Verizon study
11© Verizon 2012
Friday, June 28, 13
![Page 32: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/32.jpg)
Verizon study
11© Verizon 2012
Friday, June 28, 13
![Page 33: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/33.jpg)
12(c) WhiteHatSecurity 2013
Friday, June 28, 13
![Page 34: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/34.jpg)
12(c) WhiteHatSecurity 2013
Friday, June 28, 13
![Page 35: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/35.jpg)
12(c) WhiteHatSecurity 2013
Friday, June 28, 13
![Page 36: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/36.jpg)
12(c) WhiteHatSecurity 2013
Friday, June 28, 13
![Page 37: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/37.jpg)
What you CIO Said : I got a Firewall !
27
Friday, June 28, 13
![Page 38: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/38.jpg)
What your business user said : I have SSL based Web Site
28
Friday, June 28, 13
![Page 39: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/39.jpg)
What your business user said : only the hacker can aMack my website
• Tools are more and more simples.
• Try a simple request on google website on SQL InjecPon and look at it.
• An aEack on a Web Server cost 100$/200$ per day on the underground market.
29
Friday, June 28, 13
![Page 40: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/40.jpg)
What your user said : a vulnerability on internal ApplicaPon is not criPcal.
• No, The web is anywhere, and CSRF, HTML5 CORS and more can make this complete destrucPve
• Be aware and share this : • AJAX doing a lot of things without you
• Be aware and share this : • HTML5 will come with “nice” user funcPonality , but with big impact on security (WebSocket, CORS, ...)
30
Friday, June 28, 13
![Page 41: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/41.jpg)
But I do Security tesPng !
17
Security Tes3ng
Coding
Friday, June 28, 13
![Page 42: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/42.jpg)
Majors OWASP publications you can use
All are on the wiki https://www.owasp.orgAll are under GPL or friendly licensesMajors publications you can use to secure
your projects/SDLC
Building Guide
Code Review Guide Testing Guide
Application Security Desk Reference (ASDR)
Top10 reference this 3 guides
Ø OWASP Top10Ø Auditor/Testing GuideØ Code Review GuideØ Building GuideØ Application Security Verification
Standard (ASVS)Ø Secure Coding Practices
12
Friday, June 28, 13
![Page 43: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/43.jpg)
Friday, June 28, 13
![Page 44: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/44.jpg)
Learn
Friday, June 28, 13
![Page 45: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/45.jpg)
Learn
Friday, June 28, 13
![Page 46: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/46.jpg)
Learn Contract
Friday, June 28, 13
![Page 47: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/47.jpg)
Learn Contract
Friday, June 28, 13
![Page 48: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/48.jpg)
Learn Contract Design
Friday, June 28, 13
![Page 49: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/49.jpg)
Learn Contract Design
Friday, June 28, 13
![Page 50: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/50.jpg)
Learn Contract Design
Build
Friday, June 28, 13
![Page 51: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/51.jpg)
Learn Contract Design
Build
Friday, June 28, 13
![Page 52: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/52.jpg)
Learn Contract
Test
Design
Build
Friday, June 28, 13
![Page 53: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/53.jpg)
Learn Contract
Test
Design
Build
Friday, June 28, 13
![Page 54: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/54.jpg)
Learn Contract
Test
Design
Build Progress
Friday, June 28, 13
![Page 55: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/55.jpg)
Learn Contract
Test
Design
Build Progress
Friday, June 28, 13
![Page 56: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/56.jpg)
OWASP Applica,on Security Verifica,on Standard
20
Friday, June 28, 13
![Page 57: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/57.jpg)
What is ASVS ?
• A standard that provides a basis for the verificaPon of web applicaPons applicaPon-‐independent.
• A standard life-‐cycle model independent.• A standard that define requirements that can be applied across applicaPons without special interpretaPon. 43
Friday, June 28, 13
![Page 58: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/58.jpg)
What are ASVS responses ?
• How much trust can be placed in a web applicaPon?
•What features should be built into security controls?
• How do I acquire a web applicaPon that is verified to have a certain range in coverage and level of rigor?
Friday, June 28, 13
![Page 59: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/59.jpg)
ASVS secure controls requirements
Security AreaLevel
1A
Level
1B
Level
2A
Level
2BLevel 3 Level 4
V1 – Security Architecture Verification Requirements 1 1 2 2 4 5
V2 – Authentication Verification Requirements 3 2 9 13 13 14
V3 – Session Management Verification Requirements 4 1 6 7 8 9
V4 – Access Control Verification Requirements 5 1 12 13 14 15
V5 – Input Validation Verification Requirements 3 1 5 7 8 9
V6 – Output Encoding/Escaping Verification Requirements 0 1 2 8 9 10
V7 – Cryptography Verification Requirements 0 0 2 8 9 10
V8 – Error Handling and Logging Verification Requirements 1 1 2 8 8 9
V9 – Data Protection Verification Requirements 1 1 2 3 4 4
V10 – Communication Security Verification Requirements 1 0 3 6 8 8
V11 – HTTP Security Verification Requirements 3 3 6 6 7 7
V12 – Security Configuration Verification Requirements 0 0 0 2 3 4
V13 – Malicious Code Search Verification Requirements 0 0 0 0 0 5
V14 – Internal Security Verification Requirements 0 0 0 0 1 3
Totals 22 12 51 83 96 112
23
Friday, June 28, 13
![Page 60: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/60.jpg)
But ASVS stand for VerificaPon ?
• ASVS just said funcPonals needs for controls. • You should use it as a Secure Coding Policy.
★Don’t be medium(ASVS Level1/2), just target excellence (ASVS Level 4)
24
Friday, June 28, 13
![Page 61: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/61.jpg)
Using ASVS as a secure coding policy
• ASVS : Verify that all password fields do not echo the user’s password when it is entered.➡All Password fields must be define as HTML password fields and must not echo user password.
➡All login forms must include autocomplete=off tag
• ASVS : Verify that all input validaPon is performed on the server side. ➡Performs all input valida,on on the server. Nothing in the browser
25
Friday, June 28, 13
![Page 62: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/62.jpg)
Posi,ve aatude
Nega0ve
The tester shall search for XSS holesPosi0ve
Verify that the applica0on performs input valida0on and output encoding on all user input
See: hTp://www.owasp.org/index.php/XSS_(Cross_Site_Scrip0ng)_Preven0on_Cheat_Sheet
56
Friday, June 28, 13
![Page 63: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/63.jpg)
OWASP Secure Coding Prac3ces
27
Friday, June 28, 13
![Page 64: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/64.jpg)
OWASP Secure Coding PracPces
• Small document (only 9 pages)• Could be use as an simple checklist for your policy.
• Could be use together with ASVS or alone.•More technical and deeper approach than ASVS .
•Wrote and use by Boeing :)
28
Friday, June 28, 13
![Page 65: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/65.jpg)
Secure Coding PracPces Contents
• Input ValidaPon• Output Encoding• AuthenPcaPon and Password Management
• Session Management• Access Control• Cryptographic PracPces• Error Handling and Logging
• Data ProtecPon• CommunicaPon Security• System ConfiguraPon• Database Security• File Management• Memory Management• General Coding PracPces
29
Friday, June 28, 13
![Page 66: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/66.jpg)
Now the torture room
30
Friday, June 28, 13
![Page 67: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/67.jpg)
(extracts from OWASP Secure Coding Prac0ces/OWASP CheatSheets OWASP
ASVS, ...)
Let talk Secure Coding now
31
Friday, June 28, 13
![Page 68: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/68.jpg)
Some secures principles to follow
32
•Deep defense of applica,on is mandatory • Following less privileges is the best soluPon• Segregate duty more that user think➡Remember that applica,on need to answer user needs and not security pleasure.
Friday, June 28, 13
![Page 69: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/69.jpg)
Deep defense of a Web Applica0on (example)
70
Firewall
Applica0onWeb Apps
SGBDApp ServerWebServer
Browser
User auth
Input Validation
Secure configuration
Good crash mecanisms
• Critical data transport protection
• Preventing session and ID theft
Critical data protectionsLogs/Audit of transactions
Authorisation and
authentication
Authorisation and authentication
Critical data protectionsPreventing parameters thefts
Friday, June 28, 13
![Page 70: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/70.jpg)
Fail securely
• Don’t give user technical details of the error/crash.• Clean state or use objects in catch clause
34
Friday, June 28, 13
![Page 71: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/71.jpg)
Fail securely
• Don’t give user technical details of the error/crash.• Clean state or use objects in catch clause
34
Friday, June 28, 13
![Page 72: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/72.jpg)
Don’t try to make obscure things
72
Friday, June 28, 13
![Page 73: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/73.jpg)
Don’t try to make obscure things
72
GEOPORTAIL
Friday, June 28, 13
![Page 74: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/74.jpg)
Don’t try to make obscure things
72
Friday, June 28, 13
![Page 75: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/75.jpg)
Don’t try to make obscure things
72
GOOGLE MAPS
Friday, June 28, 13
![Page 76: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/76.jpg)
• ObfuscaPon is not the soluPon• There is someone in the matrix who will send you evil data
• Be evil ! • Protect area with filter is the best soluPon
36
Friday, June 28, 13
![Page 77: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/77.jpg)
Controls
• Controls need :–to be simple–to be used correctly–funcPonal–present in every part of the applicaPon
74
Bad understanding of a control result of unused it by developers and application will be vulnerable.
Friday, June 28, 13
![Page 78: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/78.jpg)
Minimals controls to have
• You must have at least this components in your applicaPon : –AuthenPcaPon–AuthorizaPon–Logging and audit–Secure Storage–Secure transport–Secure input and output manipulaPon of data
75
Friday, June 28, 13
![Page 79: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/79.jpg)
Authen3ca3on
39
Friday, June 28, 13
![Page 80: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/80.jpg)
Implement good passwd strategy
• Password length-‐ Categorize applicaPons :
• Important : at least 6 characters• Cri0cal : at least 8 characters and perhaps mul0-‐factors authen0ca0on
• High Cri0cal : at least 14 characters and mul0-‐factors authen0ca0on
• Password strength-‐ Implement passwd complexity with previous categories
• at least : 1 upper, 1 lower, 1 digit, 1 special• don’t allow dic0onnary passwd• don’t allow con0nuous characters
40
Friday, June 28, 13
![Page 81: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/81.jpg)
Implement good passwd strategy
•Let the user choose it•Force the user to change it regulary, and add no reuse capability.
•Don’t allow too much “I forgot my passwd”•Don’t allow change of passwd without user approval; require actual passwd from the user and more for high cri0cal.
•Add sleep strategy !•Add detec3on of misuse strategy !•Don’t store passwd in clear !!!!! use hash !
41
Friday, June 28, 13
![Page 82: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/82.jpg)
MulP-‐Factor authenPcaPon
•Passwds are bad•Passwds are guessable•MulP-‐factor combine:
–something you have (token, mobile, ...)–something you know (details about you, passwd, ...)–somePme, something you are (biometrics)–Use it for high criPcal applicaPons.
42
Friday, June 28, 13
![Page 83: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/83.jpg)
Implement good global strategy
• Ask second authenPcaPon for criPcal transacPons (with mulP-‐factor auth...)
• Force authenPcaPon to be in TLS/SSL• Regenerate Session ID aQer authenPcaPon• Force Session ID to be “secure”• LimiPng forgoEen passwd,change of login/passwd
43
Friday, June 28, 13
![Page 84: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/84.jpg)
How to do ?
• Authen0cate all pages but not public pages (login, logout, help, ....)
• Don’t allow more than one authen0ca0on mecanism• Authen3cate on the SERVER• Simply send back “user or passwd mismatch” and nothing else aker a failed authen0ca0on.
• Logged all failed and all correct authen0ca0on• Aker each authen0ca0on give the user the last status of his authen0ca0on.
44
Friday, June 28, 13
![Page 85: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/85.jpg)
• Good Regex for a passwd complexity :
• Good Storage of password with SALT
45
(?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]).*$
import java.security.MessageDigest;
public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8"));}
Friday, June 28, 13
![Page 86: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/86.jpg)
Session Management
46
Friday, June 28, 13
![Page 87: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/87.jpg)
Session
• Use Default Java Framework Generator• Use other name than the default name of the Framework (rename JSESSIONID...)
• Force transport of ID authenPcaPon on SSL/TLS.• Don’t allow Session ID in URL !• If using cookie :
– Secure Cookie– HTTPOnly Cookie – LimiPng path + domain–Max Age and expiraPon
47
Friday, June 28, 13
![Page 88: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/88.jpg)
Session tricky
• AutomaPc expiraPon–categorize applicaPons :
• default : 1 hour• cri0cal (some transac0on) : 20mns• high cri0cal (financials or account impact) : 5mns
• Renew Session ID aQer any privilege change• Don’t allow simultaneous logon • Add Session AEack DetecPon
• add in-‐session 0ps : ip of session, other random number, ...
48
Friday, June 28, 13
![Page 89: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/89.jpg)
Browser defenses
• Bind JavaScript events to close session –on window.close()–on window.stop()–on window.blur()–on window.home()
• Use Javascripts Pmer to automaPc close session in high criPcal applicaPons
• Disable WebBrowser Cross-‐tab Session if possible...(bad user experiences....)– If you use cookie, this is not possible !!!!
49
Friday, June 28, 13
![Page 90: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/90.jpg)
50
<session-‐config> <cookie-‐config> <http-‐only>true</http-‐only> <secure>true</secure> </cookie-‐config></session-‐config>
Using Servlet 3.0 ?
Friday, June 28, 13
![Page 91: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/91.jpg)
Access Controls
107
Friday, June 28, 13
![Page 92: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/92.jpg)
Remember
Friday, June 28, 13
![Page 93: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/93.jpg)
Remember
(1)Without access control, you can’t control the user in your applica,on
Friday, June 28, 13
![Page 94: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/94.jpg)
Remember
(1)Without access control, you can’t control the user in your applica,on
(2)All client inputs are EVIL
Friday, June 28, 13
![Page 95: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/95.jpg)
Authen0ca0on & Authoriza0on
• Two Levels of authenPcaPon and authorizaPon are needed–In the ApplicaPon–In infrastructure
Table A
Table B
Connexion Table A + duty ARole A
Role B
SGBDApp Server
Connexion Table B + Duty B
Friday, June 28, 13
![Page 96: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/96.jpg)
AuthorizaPon
• Have in mind the rule : –Nothing by default
• Centralize all authorizaPon code on the SERVER• If client state are mandatory, use encrypPon and integrity checking on the server side to catch state tampering.
• Limit number of transacPons per user at a interval Pme.
54
Friday, June 28, 13
![Page 97: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/97.jpg)
AuthorizaPon
• Enforce :– protec0on of URL to authorized account only– protec0on of func0on to authorized account only– protec0on of file access to authorized account only
• Applica0on need to terminate session when authoriza0on failed.
• Split administra0ve and user authoriza0on• Enforce dormant account :
– loss privileges.– “disable account”– alerts
55
Friday, June 28, 13
![Page 98: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/98.jpg)
Valida3on of Data
56
Friday, June 28, 13
![Page 99: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/99.jpg)
Input ValidaPon
• Ensure all data validaPon are done on THE SERVER.–If you do something on client side we can said you do “painPng”
• Classify your data :–Trusted Data –Untrusted Data
• Conduct trusted path.• Centralize your data validaPon• Use correct parametrize query when exists (SQL)
57
Friday, June 28, 13
![Page 100: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/100.jpg)
Border validaPon
• Consider validaPng data along all the entry points of your ApplicaPon border
58
Friday, June 28, 13
![Page 101: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/101.jpg)
Input ValidaPon
• Use proper characters set for all input• Encode all data to the same character set before doing anything <=>Canonicalize
• Reject all not validated datas• Validate data :
–expected type (convert as soon as possible to Java Types)–expected range–expected length–expected values–expected “white list” if possible
59
Friday, June 28, 13
![Page 102: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/102.jpg)
Input ValidaPon
• Be careful of using “hazardous” characters (ex: <>’,”!(+)&\ %.)
• Add specific validaPon :–check for null bytes (%00)–check for new lines (%0D, %0A, \n, \r, ...)–check for dot-‐dot-‐slashes (../)
60
Friday, June 28, 13
![Page 103: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/103.jpg)
Be careful of encoding for specific valida0on...
URL%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%58%53%53%29%3b%3c%2f%73%63%72%69%70%74%3e%0a
HTML<script>alert(XSS);</script>

UTF-8%u003c%uff53%uff43%uff52%uff49%uff50%uff54%u003e%uff41%uff4c%uff45%uff52%uff54%uff08%uff38%uff33%uff33%uff09%u003c%u2215%uff53%uff43%uff52%uff49%uff50%uff54%u003
One space ?< s c r i p t > a l e r t ( X S S ) ; < / s c r i p t >
<script>alert(XSS);</script>
Friday, June 28, 13
![Page 104: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/104.jpg)
Validate Datas
124
Friday, June 28, 13
![Page 105: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/105.jpg)
SQL => bad
125
Friday, June 28, 13
![Page 106: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/106.jpg)
SQL => bad
125
Friday, June 28, 13
![Page 107: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/107.jpg)
SQL => bad
125
Friday, June 28, 13
![Page 108: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/108.jpg)
SQL => a liEle bit beEer
126
Friday, June 28, 13
![Page 109: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/109.jpg)
List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList();List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList();int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate();
JPA/EnPty
65
Friday, June 28, 13
![Page 110: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/110.jpg)
List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList();List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList();int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate();
JPA/EnPty
65
Friday, June 28, 13
![Page 111: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/111.jpg)
List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList();List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList();int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate();
JPA/EnPty
65
/* positional parameter in JPQL */Query jpqlQuery = entityManager.createQuery("Select order from Orders order where order.id = ?1");List results = jpqlQuery.setParameter(1, "123-‐ADB-‐567-‐QTWYTFDL").getResultList();
Friday, June 28, 13
![Page 112: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/112.jpg)
List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList();List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList();int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate();
JPA/EnPty
65
/* positional parameter in JPQL */Query jpqlQuery = entityManager.createQuery("Select order from Orders order where order.id = ?1");List results = jpqlQuery.setParameter(1, "123-‐ADB-‐567-‐QTWYTFDL").getResultList();
/* named query in JPQL -‐ Query named "myCart" being "Select c from Cart c where c.itemId = :itemId" */Query jpqlQuery = entityManager.createNamedQuery("myCart");List results = jpqlQuery.setParameter("itemId", "item-‐id-‐0001").getResultList();
Friday, June 28, 13
![Page 113: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/113.jpg)
List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList();List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList();int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate();
JPA/EnPty
65
/* positional parameter in JPQL */Query jpqlQuery = entityManager.createQuery("Select order from Orders order where order.id = ?1");List results = jpqlQuery.setParameter(1, "123-‐ADB-‐567-‐QTWYTFDL").getResultList();
/* named query in JPQL -‐ Query named "myCart" being "Select c from Cart c where c.itemId = :itemId" */Query jpqlQuery = entityManager.createNamedQuery("myCart");List results = jpqlQuery.setParameter("itemId", "item-‐id-‐0001").getResultList();/* named parameter in JPQL */Query jpqlQuery = entityManager.createQuery("Select emp from Employees emp where emp.incentive > :incentive");List results = jpqlQuery.setParameter("incentive", new Long(10000)).getResultList();
Friday, June 28, 13
![Page 114: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/114.jpg)
List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList();List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList();int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate();
JPA/EnPty
65
/* positional parameter in JPQL */Query jpqlQuery = entityManager.createQuery("Select order from Orders order where order.id = ?1");List results = jpqlQuery.setParameter(1, "123-‐ADB-‐567-‐QTWYTFDL").getResultList();
/* Native SQL */Query sqlQuery = entityManager.createNativeQuery("Select * from Books where author = ?", Book.class);List results = sqlQuery.setParameter(1, "Charles Dickens").getResultList();
/* named query in JPQL -‐ Query named "myCart" being "Select c from Cart c where c.itemId = :itemId" */Query jpqlQuery = entityManager.createNamedQuery("myCart");List results = jpqlQuery.setParameter("itemId", "item-‐id-‐0001").getResultList();/* named parameter in JPQL */Query jpqlQuery = entityManager.createQuery("Select emp from Employees emp where emp.incentive > :incentive");List results = jpqlQuery.setParameter("incentive", new Long(10000)).getResultList();
Friday, June 28, 13
![Page 115: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/115.jpg)
XML => bad
127
Friday, June 28, 13
![Page 116: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/116.jpg)
XML => bad
127
Friday, June 28, 13
![Page 117: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/117.jpg)
XML => ValidaPng via regexp/white list
128
Friday, June 28, 13
![Page 118: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/118.jpg)
BeEer, a XML schema
<xs:schema xmlns:xs="hTp://www.w3.org/2001/XMLSchema">
<xs:element name="item">
<xs:complexType>
<xs:sequence>
<xs:element name="descrip0on" type="xs:string"/>
<xs:element name="price" type="xs:decimal"/>
<xs:element name="quan0ty" type="xs:integer"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Friday, June 28, 13
![Page 119: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/119.jpg)
XML => XML Parser validaPon
Friday, June 28, 13
![Page 120: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/120.jpg)
LDAP => bad
131
Friday, June 28, 13
![Page 121: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/121.jpg)
LDAP => bad
131
Friday, June 28, 13
![Page 122: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/122.jpg)
LDAP => beEer
132
Friday, June 28, 13
![Page 123: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/123.jpg)
Using OWASP ESAPI
72
Friday, June 28, 13
![Page 124: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/124.jpg)
Output Encoding
73
Friday, June 28, 13
![Page 125: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/125.jpg)
Output encoding
• It’s a Defense in depth mechanism• Encode ON THE SERVER• Centralize the encoder funcPons• SaniPze all data send to the client
–HTMLEncode is a minimum but did not work on all cases
74
Friday, June 28, 13
![Page 126: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/126.jpg)
Essai 1 => bad
137
Friday, June 28, 13
![Page 127: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/127.jpg)
Essai 1 => bad
137
Friday, June 28, 13
![Page 128: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/128.jpg)
Essai 2 => it’s bad, but beTer than nothing
138
Friday, June 28, 13
![Page 129: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/129.jpg)
Essai 2 => it’s bad, but beTer than nothing
138
Friday, June 28, 13
![Page 130: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/130.jpg)
A good soluPon with a robust SaniPzer :)
139
Friday, June 28, 13
![Page 131: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/131.jpg)
Error Logging
78
Friday, June 28, 13
![Page 132: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/132.jpg)
Error Handling
Your Applica3on will crash !• Catch all excep0ons without excep0on (remember the null pointer excep0on !)– Clean all excep0on code of sensi0ve datas– Don’t give user any details about crash, just said “It’s a crash, try again later”
• Logs are sensi0ve, you MUST PROTECT THEM• Log :
– input valida0on failures– authen0ca0on request; especially failures– access control failures– systems excep0ons– administra0ve func0onality– crypto failures– invalid/expired session token access
79
Friday, June 28, 13
![Page 133: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/133.jpg)
Logging/Errors
• Split your logs with categories, examples : –Access–Error–Debug–Audit
• Use log4j for standard logging
80
Friday, June 28, 13
![Page 134: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/134.jpg)
Log4J Example
81
import com.sec.dev;
// Import log4j classes. import org.apache.log4j.Logger; import org.apache.log4j.BasicConfigurator;
public class SecLogger {
// Define a static logger variable so that it references the // Logger instance named "MyApp". static Logger logger = Logger.getLogger(MyApp.class);
public static void main(String[] args) {
// Set up a simple configuration that logs on the console. BasicConfigurator.configure();
logger.setLevel(Level.DEBUG); // optional if log4j.properties file not used // Possible levels: TRACE, DEBUG, INFO, WARN, ERROR, and FATAL
logger.info("Entering application."); Bar bar = new Bar(); bar.doIt(); logger.info("Exiting application."); } }
Friday, June 28, 13
![Page 135: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/135.jpg)
Bad handling of ExcepPon
144
Friday, June 28, 13
![Page 136: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/136.jpg)
Bad handling of ExcepPon
144
Friday, June 28, 13
![Page 137: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/137.jpg)
Good Housecleaning
83
try { SensitiveData sensitiveData = new SensitiveData (“4242424242424242”); out = new PrintWriter(new FileWriter("OutFile.txt")); //Do Stuff….} catch (IOException e) { if ( sensitiveData != null ) {
sensitiveData.set(“0000000000000000”); }
logger.log ("IO exception ", e.getMessage());
} catch (Exception e) { if ( sensitiveData != null ) {
sensitiveData.set(“0000000000000000”); }logger.log ("Error occurred!”, e.getMessage());
} finally { if ( sensitiveData != null ) {
sensitiveData.set(“0000000000000000”); } if (out != null) {
out.close(); // RELEASE RESOURCES } }
Friday, June 28, 13
![Page 138: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/138.jpg)
BeEer handling of excepPon and error
145<error-‐page> <excepPon-‐type>java.lang.Throwable</excepPon-‐type> <locaPon>/error.jsp</locaPon> </error-‐page>
Friday, June 28, 13
![Page 139: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/139.jpg)
Data Protec3on
85
Friday, June 28, 13
![Page 140: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/140.jpg)
Data protecPon
• Protect sensiPve datas, don’t store them in clear.• Store sensiPve datas in trusted systems• Don’t use GET request for sensiPve data.• Disable client site caching
86
Friday, June 28, 13
![Page 141: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/141.jpg)
Disable Client Side caching
87
import javax.servlet.*;import javax.servlet.http.HttpServletResponse;import java.io.IOException;import java.util.Date;
public class CacheControlFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse resp = (HttpServletResponse) response; resp.setHeader("Expires", "Tue, 03 Jul 2001 06:00:00 GMT"); resp.setHeader("Last-‐Modified", new Date().toString()); resp.setHeader("Cache-‐Control", "no-‐store, no-‐cache, must-‐revalidate, max-‐age=0, post-‐check=0, pre-‐check=0"); resp.setHeader("Pragma", "no-‐cache");
chain.doFilter(request, response); }
}
<filter> <filter-‐name>SetCacheControl</filter-‐name> <filter-‐class>com.sec.dev.cacheControlFilter</filter-‐class></filter> <filter-‐mapping> <filter-‐name>SetCacheControl</filter-‐name><url-‐pattern>/*</url-‐pattern></filter-‐mapping>
web.xml
Friday, June 28, 13
![Page 142: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/142.jpg)
Access to FileSystem
88
Friday, June 28, 13
![Page 143: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/143.jpg)
Absolute Path is bad
151
Friday, June 28, 13
![Page 144: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/144.jpg)
Absolute Path is bad
151
Friday, June 28, 13
![Page 145: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/145.jpg)
Absolute Path is bad
151
Friday, June 28, 13
![Page 146: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/146.jpg)
Canonicalisa,on is good
90
Friday, June 28, 13
![Page 147: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/147.jpg)
Secure Communica3ons
91
Friday, June 28, 13
![Page 148: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/148.jpg)
Secure CommunicaPons
• Use TLS/SSL :–at least SSL v3.0/TLS 1.0–minimum of 128bits encrypPon–use secure crypto : AES is good
• Don’t expose criPcal data in the URL• Failed SSL/TLS communicaPons should not fall back to insecure
• Validate cerPficate when used• Protect all page, not just logon page !
92
Friday, June 28, 13
![Page 149: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/149.jpg)
Force TLS/SSL Response
• Use HTTP Strict Transport Security (HSTS).–Available on some browsers (not IE)–draQ IETF : hEp://tools.iew.org/html/draQ-‐iew-‐websec-‐strict-‐transport-‐sec-‐04
93
HttpServletResponse ...;response.setHeader("Strict-‐Transport-‐Security", "max-‐age=7776000; includeSubdomains");
Friday, June 28, 13
![Page 150: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/150.jpg)
ConfiguraPon
94
• Review all properPes, configuraPon files• Be careful of default passwords...• Remove, and not just de-‐acPvate, unused funcPons/modules
• Use sandbox system when available :
Be careful of Java Signed code who execute with more privileges !
Friday, June 28, 13
![Page 151: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/151.jpg)
Now you can protect against him
95
Friday, June 28, 13
![Page 152: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/152.jpg)
NEWS
A BLOG
A PODCAST
MEMBERSHIPS
MAILING LISTS
A NEWSLETTER
APPLE APP STORE
VIDEO TUTORIALS
TRAINING SESSIONS
SOCIAL NETWORKING
96On est aussi des humains, et on peut boire un coup tout simplement
Friday, June 28, 13
![Page 153: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/153.jpg)
Dates
• AppSec Research Europe 2013 : 20/23 Aout – Hambourg – Allemagne
• Octobre 2013 : OSSIR PARIS–OWASP Top10 2013; quoi de neuf ?
• OWASP Benelux : 28/29 Novembre 2013
97Un tour des JUG est prévu en France, si vous en connaissez un dans le coin...
Friday, June 28, 13
![Page 154: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/154.jpg)
Soutenir l’OWASP
• Différentes soluPons : –Membre Individuel : 50 $–Membre Entreprise : 5000 $–DonaPon Libre
• Soutenir uniquement le chapitre France :–Single MeePng supporter
• Nous offrir une salle de mee0ng ! • Par0ciper par un talk ou autre ! • Dona0on simple
–Local Chapter supporter : • 500 $ à 2000 $
98
Friday, June 28, 13
![Page 155: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/155.jpg)
Prochains meePngs
• Septembre 2013 –Salle : Mozilla Center Paris–Speaker :
• Security on Firefox OS• A définir
• Novembre 2013–Salle : a définir–Speaker : a définir
Septembre s’annonce merveilleux avec plein d’annonces en tout genre....
Friday, June 28, 13
![Page 156: 2013 06-27-securecoding-en - jug pch](https://reader033.vdocuments.mx/reader033/viewer/2022060108/554f72dab4c9058a148b5420/html5/thumbnails/156.jpg)
License
100Si vous avez tout suivi vous connaissez le prochain slide....
@SPoint
Friday, June 28, 13