The OWASP Enterprise Security API( ESAPI )

OWASP

To ensure thatstrong simple security

controls are available to every developer

in every environment

ESAPI Mission

Where Do Vulnerabilities Come From?

Controls Every Application Needs

Access Control

Authenti-cation and

Identity

App Firewall

Access Reference

Map

Output Escaping

Input Validation

LoggingException Handling

Secure Config

Intrusion Detection

HTTP Utilities

Encryption and Signing

Security Controls

Are Hard

Escaping Gone Wild Percent Encoding%3c%3C

 HTML Entity Encoding

&#60&#060&#0060&#00060&#000060&#0000060<<<<<<&#x3c&#x03c&#x003c&#x0003c&#x00003c&#x000003c<<<<<<&#X3c&#X03c&#X003c&#X0003c&#X00003c&#X000003c<<<

<<< &#x3C&#x03C&#x003C&#x0003C&#x00003C&#x000003C<<<<<<&#X3C&#X03C&#X003C&#X0003C&#X00003C&#X000003C<<<<<< &lt&lT&Lt&LT<&lT;≪<

JavaScript Escape\<\x3c\X3c\u003c\U003c\x3C\X3C\u003C\U003C 

CSS Escape\3c\03c\003c\0003c\00003c\3C\03C\003C\0003C\00003C

Overlong UTF-8%c0%bc%e0%80%bc%f0%80%80%bc%f8%80%80%80%bc%fc%80%80%80%80%bc

US-ASCII¼

UTF-7+ADw-

Punycode<-

<

Cheaper, Better, Faster

http://www.owasp.org/images/c/c7/Esapi-before-after.JPG

attacks

threats exploits

vulnerabilities

RiskWorld risks

controls

AssuranceWorld

accountability

pentest

scanning

assurance

patterns

verification architecture

policy

impact

flaws

metrics

visibility

completeness

ESAPI Scorecard

Authentication Identity Access Control * * Input Validation Output Escaping Canonicalization Encryption Random Numbers Exceptions Logging IntrusionDetection Security Config App Firewall

Assurance

Deceptively Tricky Problems for Developers

1. Input Validation and Output Encoding2. Authentication and Identity3. URL Access Control4. Business Function Access Control5. Data Layer Access Control6. Presentation Layer Access Control7. Errors, Logging, and Intrusion Detection8. Encryption, Hashing, and Randomness

Lots more…

Stopping InjectionQuick and Dirty

Ad Hoc Escaping

Generic Validation

Stopping InjectionEnterprise

Automatic Escaping

Managed Specific Validation

Managed Generic Validation

Jeff WilliamsAspect Security CEO

OWASP Foundation Chairjeff.williams@aspectsecurity.comhttp://www.aspectsecurity.com

twitter @planetlevel410-707-1487

Questions?

Stopping InjectionQuick and Dirty

Ad Hoc Escaping

Generic Validation

Stopping InjectionStrong Application

Mandatory Escaping

Specific Validation

Generic Validation (+can)

ESAPI Web App Firewall (WAF)

attacker

userESAPI

WAF

Critical Application?

PCI requirement?3rd party

application?Legacy

application?Incident response?

Virtual patchesAuthentication rulesURL access control

Egress filteringAttack surface reduction

Real-time security

AuthN and AuthZQuick and Dirty

User in Session

Simple Authentication Model

Ad Hoc Authorization

AuthN and AuthZStrong Application

Identity Everywhere

Automatic CG Authorization

Alternate Authentication

Automatic FG Authorization

AuthN and AuthZEnterprise

AuthZ Policy Management

AuthZ Entitlement Mgmt

Identity Management

Applications Enjoy Attacks

YouTube

Live Search

Blogger

Accountability and DetectionQuick and Dirty

Ad Hoc Security Logging

Security Exceptions (2 msgs)

Ad Hoc Authorization

Accountability and DetectionStrong Application

Intrusion Detection

Automatic Security Logging

Accountability and DetectionEnterprise

Log Policy Management

Dynamic Incident Response

Centralized Logging

ESAPI Swingset