owasp. to ensure that strong simple security controls are available to every developer in every...
TRANSCRIPT
The OWASP Enterprise Security API( ESAPI )
OWASP
To ensure thatstrong simple security
controls are available to every developer
in every environment
ESAPI Mission
Where Do Vulnerabilities Come From?
Controls Every Application Needs
Access Control
Authenti-cation and
Identity
App Firewall
Access Reference
Map
Output Escaping
Input Validation
LoggingException Handling
Secure Config
Intrusion Detection
HTTP Utilities
Encryption and Signing
Security Controls
Are Hard
Escaping Gone Wild Percent Encoding%3c%3C
HTML Entity Encoding
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
<<< <<<<<<<<<<<<<<<<<<<<<<<< <&lT&Lt<<&lT;≪<
JavaScript Escape\<\x3c\X3c\u003c\U003c\x3C\X3C\u003C\U003C
CSS Escape\3c\03c\003c\0003c\00003c\3C\03C\003C\0003C\00003C
Overlong UTF-8%c0%bc%e0%80%bc%f0%80%80%bc%f8%80%80%80%bc%fc%80%80%80%80%bc
US-ASCII¼
UTF-7+ADw-
Punycode<-
<
Cheaper, Better, Faster
attacks
threats exploits
vulnerabilities
RiskWorld risks
controls
AssuranceWorld
accountability
pentest
scanning
assurance
patterns
verification architecture
policy
impact
flaws
metrics
visibility
completeness
ESAPI Scorecard
Authentication Identity Access Control * * Input Validation Output Escaping Canonicalization Encryption Random Numbers Exceptions Logging IntrusionDetection Security Config App Firewall
Assurance
Deceptively Tricky Problems for Developers
1. Input Validation and Output Encoding2. Authentication and Identity3. URL Access Control4. Business Function Access Control5. Data Layer Access Control6. Presentation Layer Access Control7. Errors, Logging, and Intrusion Detection8. Encryption, Hashing, and Randomness
Lots more…
Stopping InjectionQuick and Dirty
Ad Hoc Escaping
Generic Validation
Stopping InjectionEnterprise
Automatic Escaping
Managed Specific Validation
Managed Generic Validation
Jeff WilliamsAspect Security CEO
OWASP Foundation [email protected]://www.aspectsecurity.com
twitter @planetlevel410-707-1487
Questions?
Stopping InjectionQuick and Dirty
Ad Hoc Escaping
Generic Validation
Stopping InjectionStrong Application
Mandatory Escaping
Specific Validation
Generic Validation (+can)
ESAPI Web App Firewall (WAF)
attacker
userESAPI
WAF
Critical Application?
PCI requirement?3rd party
application?Legacy
application?Incident response?
Virtual patchesAuthentication rulesURL access control
Egress filteringAttack surface reduction
Real-time security
AuthN and AuthZQuick and Dirty
User in Session
Simple Authentication Model
Ad Hoc Authorization
AuthN and AuthZStrong Application
Identity Everywhere
Automatic CG Authorization
Alternate Authentication
Automatic FG Authorization
AuthN and AuthZEnterprise
AuthZ Policy Management
AuthZ Entitlement Mgmt
Identity Management
Applications Enjoy Attacks
YouTube
Live Search
Blogger
Accountability and DetectionQuick and Dirty
Ad Hoc Security Logging
Security Exceptions (2 msgs)
Ad Hoc Authorization
Accountability and DetectionStrong Application
Intrusion Detection
Automatic Security Logging
Accountability and DetectionEnterprise
Log Policy Management
Dynamic Incident Response
Centralized Logging
ESAPI Swingset