1 / 14

Application Security

Application Security. A case for business. Lack of Security Culture. College Curriculums Lacks security module Not updated Programmers Hard to find Lack formal training unaware. Common Vulnerabilities. Xss or Cross site scripting Sql Injection Overflows Format String. Common approach.

aelan
Download Presentation

Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Application Security A case for business

  2. Lack of Security Culture College CurriculumsLacks security moduleNot updated ProgrammersHard to findLack formal trainingunaware

  3. Common Vulnerabilities Xss or Cross site scripting Sql Injection Overflows Format String

  4. Common approach Bug is reported Programmer spends time learning about it Implements fix Increase in development time and cost Later patch might overwrite previous fix Vulnerability reintroduced

  5. Missing link(1) Security/input/output validation framework How? Identify risks posing tasks in the application: Grabbing user inputreading/writing to filesDisplaying dataUsing SqlDisplaying sensitive user databuying an item

  6. Missing Link(contd) Identify common vulnerability types to each risky task as well as best practice approach to locking them down Created in conjunction with senior member of development team and security consultant.

  7. Sample approaches(1) Grabbing User Input:Utilize strong data types when applicableIdentify and enforce data length restrictionsIdentify and enforce acceptable character white lists when utilizing strings. Reading/writing to filesPerform and enforce lowest rights permission checking.

  8. Sample approaches(2) Displaying Data:Create whitelist of acceptable charactersCharacters not on list should be escaped, stripped or HTML encoded before display. Using Sql:Enforce using character whitelist to prevent sql injection. Perform important application functionality:proper session validation(Authentication)object access checking(Authorization)

  9. Sample approaches(3) Consider using existing frameworks Well known issues already addressed Saves development time Bug fixes can be applied in central location as opposed to multiple.

  10. Common existing frameworks Java validation Library for java Xworkvalidator for java struts JSTL for JSP Anti-Xss library for microsoft .NET

  11. Lastly, Document!!! Create best practices document outlining how to address risky tasks Short training course Q & A sessions to address concerns of dev. Team Emphasize code management advantages and security checking consistency

  12. Benefits Time savings essential for developer acceptance. Initially adds to development time. Management and future code audits easier.

  13. Finally Enforce utilization of framework a project requirement with consequence for failure to implement without a good reason. Else developers treat as optional step

  14. References The business case for security frameworks By Robert Auger http://www.webappsec.org/projects/articles/042307.shtml The Cross Site Scripting (XSS) FAQhttp://www.cgisecurity.com/articles/xss-faq.shtml

More Related