1 / 27

OWASP

OWASP. The OWASP Enterprise Security API ( ESAPI ). ESAPI Mission. To ensure that strong simple security controls are available to every developer in every environment. Where Do Vulnerabilities Come From?. Controls Every Application Needs. Security Controls. Are Hard.

ulfah
Download Presentation

OWASP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP The OWASP Enterprise Security API ( ESAPI )

  2. ESAPI Mission To ensure thatstrongsimple security controls are available to every developerin every environment

  3. Where Do Vulnerabilities Come From?

  4. Controls Every Application Needs

  5. Security Controls Are Hard

  6. Escaping Gone Wild < Percent Encoding %3c %3C HTML Entity Encoding &#60 &#060 &#0060 &#00060 &#000060 &#0000060 &#60; &#060; &#0060; &#00060; &#000060; &#0000060; &#x3c &#x03c &#x003c &#x0003c &#x00003c &#x000003c &#x3c; &#x03c; &#x003c; &#x0003c; &#x00003c; &#x000003c; &#X3c &#X03c &#X003c &#X0003c &#X00003c &#X000003c &#X3c; &#X03c; &#X003c; &#X0003c; &#X00003c; &#X000003c; &#x3C &#x03C &#x003C &#x0003C &#x00003C &#x000003C &#x3C; &#x03C; &#x003C; &#x0003C; &#x00003C; &#x000003C; &#X3C &#X03C &#X003C &#X0003C &#X00003C &#X000003C &#X3C; &#X03C; &#X003C; &#X0003C; &#X00003C; &#X000003C; &lt &lT &Lt &LT &lt; &lT; &Lt; &LT; JavaScript Escape \< \x3c \X3c \u003c \U003c \x3C \X3C \u003C \U003C CSS Escape \3c \03c \003c \0003c \00003c \3C \03C \003C \0003C \00003C Overlong UTF-8 %c0%bc %e0%80%bc %f0%80%80%bc %f8%80%80%80%bc %fc%80%80%80%80%bc US-ASCII ¼ UTF-7 +ADw- Punycode <-

  7. Cheaper, Better, Faster

  8. Independence

  9. Positive Security accountability architecture verification policy visibility AssuranceWorld patterns metrics threats exploits controls assurance completeness pentest impact Risk World flaws risks attacks scanning vulnerabilities

  10. Scorecard

  11. Assurance

  12. Deceptively Tricky Problems for Developers • Input Validation and Output Encoding • Authentication and Identity • URL Access Control • Business Function Access Control • Data Layer Access Control • Presentation Layer Access Control • Errors, Logging, and Intrusion Detection • Encryption, Hashing, and Randomness Lots more…

  13. Stopping Injection Ad Hoc Escaping Quick and Dirty Generic Validation

  14. Stopping Injection Automatic Escaping Enterprise Managed Specific Validation Managed Generic Validation

  15. Jeff WilliamsAspect Security CEOOWASP Foundation Chair jeff.williams@aspectsecurity.comhttp://www.aspectsecurity.com twitter @planetlevel 410-707-1487 Questions Questions?

  16. Stopping Injection Ad Hoc Escaping Quick and Dirty Generic Validation

  17. Stopping Injection Mandatory Escaping Strong Application Specific Validation Generic Validation (+can)

  18. ESAPI Web App Firewall (WAF) Critical Application? PCI requirement? 3rd party application? Legacy application? Incident response? WAF attacker ESAPI user Virtual patches Authentication rules URL access control Egress filtering Attack surface reduction Real-time security

  19. AuthN and AuthZ User in Session Quick and Dirty Simple Authentication Model Ad Hoc Authorization

  20. AuthN and AuthZ Alternate Authentication Strong Application Identity Everywhere Automatic CG Authorization Automatic FG Authorization

  21. AuthN and AuthZ Identity Management Enterprise AuthZ Policy Management AuthZ Entitlement Mgmt

  22. Applications Enjoy Attacks Live Search Blogger YouTube

  23. Accountability and Detection Ad Hoc Security Logging Quick and Dirty Security Exceptions (2 msgs) Ad Hoc Authorization

  24. Accountability and Detection Automatic Security Logging Strong Application Intrusion Detection

  25. Accountability and Detection Centralized Logging Enterprise Log Policy Management Dynamic Incident Response

  26. ESAPI Swingset

More Related