1 / 31

David Ohsie - Distinguished Engineer, EMC Corporation

Leveraging OWASP in Open Source Projects - CAS AppSec Working Group. David Ohsie - Distinguished Engineer, EMC Corporation Bill Thompson CISSP, CSSLP - Director IAM Practice, Unicon Aaron Weaver. Hosted by OWASP & the NYC Chapter. Central Authentication Service (CAS)

eadoin
Download Presentation

David Ohsie - Distinguished Engineer, EMC Corporation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Leveraging OWASP in Open Source Projects - CAS AppSec Working Group David Ohsie - Distinguished Engineer, EMC Corporation Bill Thompson CISSP, CSSLP - Director IAM Practice, Unicon Aaron Weaver

  2. Hosted by OWASP & the NYC Chapter

  3. Central Authentication Service (CAS) Simple, Flexible, Extensible Open Source Web Single Sign-On for the Enterprise • Alfresco • Confluence • DokuWiki • Drupal • Google Apps • JIRA • Joomla! • Liferay • MediaWiki • Spring Security • Apache Shiro • Java CAS Client • .Net CAS Client • php CAS Client • mod_auth_cas • ASP to Zope • Moodle • OpenCMS • PeopleAdmin • Roller • Sakai • Twiki • uPortal • Wordpress • Zimbra Hosted by OWASP & the NYC Chapter

  4. Central Authentication Service (CAS) • CAS initially create by Shawn Bayern in 2001 at Yale • CAS3 jointly designed and developed by Rutgers and Yale in 2005 as Jasig project • Simple protocol, flexible architecture, wide deployment Hosted by OWASP & the NYC Chapter

  5. Central Authentication Service (CAS) But...is it secure? How do we know? • Based on Kerberos • Wide deployment and many eye balls • Reports of dynamic scans from time to time • Maybe we should really check? Hosted by OWASP & the NYC Chapter

  6. Central Authentication Service (CAS) CAS AppSec Working Group - Jan 2013 • Joachim Fritschi • Jérôme Leleu • Misagh Moayyed • Parker Neff https://wiki.jasig.org/display/CAS/CAS+AppSec+Working+Group • David Ohsie • Andrew Petro • Bill Thompson • Aaron Weaver Hosted by OWASP & the NYC Chapter

  7. CAS AppSec Working Group Goals • Proactively work to improve the security posture • Respond to potential vulnerabilities • Produce artifacts that help potential CAS adopters evaluate the security of CAS • Create and maintain recommendations on good security practices for deployments Hosted by OWASP & the NYC Chapter

  8. Hosted by OWASP & the NYC Chapter

  9. Google pays coders to improve open-source security Hosted by OWASP & the NYC Chapter

  10. Open Source software needs to be open on software security. Hosted by OWASP & the NYC Chapter

  11. As an adopter or potential adopter I want to know how the project deals with security Hosted by OWASP & the NYC Chapter

  12. Security can be a strong “selling” point! Hosted by OWASP & the NYC Chapter

  13. Or it can detract from your project How to avoid being one of the "73%" of WordPress sites vulnerable to attack Hosted by OWASP & the NYC Chapter

  14. Vulnerability Handling Practices Hosted by OWASP & the NYC Chapter

  15. Hosted by OWASP & the NYC Chapter

  16. OSS AppSec Program • Form a working group • OWASP Resources • Meet regularly • Make it easy to report vulnerabilities • Threat Analysis with Developers • Run security tools (ZAP, Static Code) Hosted by OWASP & the NYC Chapter

  17. Contributors • Use OWASP Resources and Libraries • Threat Model • Work with security researchers Hosted by OWASP & the NYC Chapter

  18. Make it easy to report a vulnerability • Security issue email address • Provide a PGP Key Hosted by OWASP & the NYC Chapter

  19. Static Code Analysis Issues were found, prioritized and worked through false positives Hosted by OWASP & the NYC Chapter

  20. Threat analysis: Purpose • What people think/say: “We probably don’t have any major security issues.” • Threat analysis gives you a way to systematically analyze the possible threats against your system and rank them by potential impact. • Threat analysis also gives adopters the information they need to analyze the deployment of your system in their environment. Hosted by OWASP & the NYC Chapter

  21. Threat analysis: Methodology • Decompose the application: Draw a dataflow diagram in order to enumerate the attack surfaces. • For each attack surface, enumerate the threats to the system and rank them. • For each threat, create a list of possible mitigations. • More details: https://www.owasp.org/index.php/Application_Threat_Modeling Hosted by OWASP & the NYC Chapter

  22. CAS Appsec Experience • Started with whiteboarding session at Apereo conference to produce initial DFD and threats • Biweekly follow-up meeting via Webex • Used STRIDE to help identify threats • Results maintained on wiki page • https://wiki.jasig.org/display/CAS/CAS+Threat+Modeling Hosted by OWASP & the NYC Chapter

  23. CAS Context DFD Hosted by OWASP & the NYC Chapter

  24. CAS Protocol DFD HTTPS CAS Server Username/Password + Application Service URL SSO Session Cookie (TGT) Application Service Ticket (ST) Browser HTTP(S) Request + ST Application CAS Client (Agent) HTTP(S) + Optional Session Cookie Hosted by OWASP & the NYC Chapter

  25. STRIDE Hosted by OWASP & the NYC Chapter

  26. CAS Appsec Sample Threat • Identifier: PC_3 • Category: Information Disclosure • Threat: The pgtIou and pgtId are send as GET parameters, which can be a problem as they might be stored in logs or indexed in internal search engines... • Mitigation: Never log the GET parameters on the proxy callback url. Though, it might be not sufficient. Should we change the CAS protocol in the next revision (v4.0) to POST these parameters ? Hosted by OWASP & the NYC Chapter

  27. Classifying Remediation • Easy: Security Guide Contents • Disable http • How to write a safe CAS client/plugin • Securing the ticket registry • Harder: Change the code • Secure-by-default • Encrypted/signed ticket registry Hosted by OWASP & the NYC Chapter

  28. CAS Threat modeling results • Classified 19 threat against the system • Generated 10 proposals • One proposal (secure-by-default) integrated into CAS 4.0 • Paraphrase from a CAS committer: • “I thought when we started that we would not find any problems, but now I see that there are lots of improvements to be made” Hosted by OWASP & the NYC Chapter

  29. Challenges • Even in a security project, features are favored over security! • Difficult to get consistent participation (although a core of contributors have kept it up; thank you, Jérôme Leleu and co-presenters!) • Difficult to get changes prioritized and into the project Hosted by OWASP & the NYC Chapter

  30. Application Security Professionals Find an open source project and volunteer! Hosted by OWASP & the NYC Chapter

  31. Thanks! David Ohsie Bill Thompson, CISSP, CSSLP IAM Practice Director, Unicon wgthom@unicon.net Aaron Weaver Hosted by OWASP & the NYC Chapter

More Related