Download
1 / 60
600 likes | 751 Views
OWASP Atlanta March 2014 Chapter Meeting. Getting More Out of OWASP Leveraging Today’s Nest of Projects. Tony “UV” UcedaVelez VerSprite, Inc. OWASP Atlanta Chapter Leader tonyuv@owasp.org @t0nyuv. Reasons for Talk. After 11 years, many people still don’t know about OWASP
E N D
OWASP Atlanta March 2014 Chapter Meeting Getting More Out of OWASPLeveraging Today’s Nest of Projects • Tony “UV” UcedaVelez • VerSprite, Inc. • OWASP Atlanta Chapter Leader • tonyuv@owasp.org • @t0nyuv
Reasons for Talk • After 11 years, many people still don’t know about OWASP • Problems in InfoSec are bountiful • Opportunities for solving problems are catalyzed by OWASP • Those that ‘DO’ will be best served by OWASP projects • Get involved to further OWASP mission & projects • Consultant viewpoint from close to 20 years in the trenches
‘Get’ Topics to Cover • Get Familiar • Get more from OWASP • Get involved
OWASP is a Belief • Community driven • Software security shouldn’t be reserved to those who can afford it. • Intra-personal exchanges and interactions reveal true opportunities for collaboration • Cultural, industry, country related challenges exposed and addressed. • Massively supportive and responsive.
More basic on OWASP • A non-profit (501c), global org – Please Donate! or become a Member. • Consortium of tools and deliverables aimed at application security. • OPENness is heart of the org – from its content, dialogue, to administration. • OWASP content can be leveraged in ANY org
Core Values (from site) • OPEN – radical transparency; from finances to our code. • INNOVATION - encourages innovation for solutions to software security challenges. • GLOBAL – truly a global community. • INTEGRITY - truthful, vendor neutral, global community.
Untangling the OWASP Projects knot It can’t be done! >:/ 11
OWASP Open SAMM • The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. • Benefits • Evaluate your organization's existing software security practices • Build a balanced software security program in well-defined iterations. • Demonstrating concrete improvements http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project 13
Wide Scope Covered by OpenSAMM • Supports a Security Plan or Roadmap • Establish governance • Perform against assessments • Test and Report • Enhance Security Operations • Building a S-SDLC Initiative • Measures success/ shortcomings • Provides metrics for reporting http://www.owasp.org/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project 15
OWASP.org is a valuable resource for any company involved with online payment card transactions. Dell uses OWASP’s Software Assurance Maturity Model (OpenSAMM) to help focus our resources and determine which components of our secure application development program to prioritize. Participation in OWASP’s local chapter meetings and conferences around the globe helps us build stronger networks with our colleagues., (Michael J. Craigue, Information Security & Compliance, Dell, Inc.)
Operationalizing SecurityCase Study & Prescriptive Advice on Implementing OWASP Projects
Challenges in SecOps • Security Operations are becoming zombified • Over-reliance on vendors (tools and services) • Ask most security operations people – are you getting better – they really don’t know • Measuring and Trending is key • Part of challenge in measuring is having the right tools; other part is knowing what consistent values to check for 20
Prescriptive Advice in SecOps • Define metrics operational metrics around security • Contemplating Bug Bounties • Measuring security by events • Validated alerts (blocked) • False Positive Analysis (for Tuning purposes) • Mitigate new layers of attacks • Doing more with less 21
Case Study: U.S. Financial Company • Company name will not be disclosed(We need a name for this company) • UFS (Unidentified Financial Services) 22
USF: Company Overview • Relative size • Among the largest 25 banks in the U.S. • Branches in many states in the U.S. • General information • Company Type: Subsidiary of larger firm • Industry: Finance and Banking • Revenue: 2+ Billion USD • Employees: 13,000+ • Parent Company: ~$14 Billion in revenue, ~110,000 employees and ~$650 Billion in assets 23
USF: IT Security • The USF Security group • 8 IT Security Analysts (full-time employees) • Mission and Goals • Compliance efforts • PCI DSS & SOx (Sarbanes-Oxley Act) • Compliance is a starting point for them. They aim for secure and get compliance along the way. • Assessment / security reviews of online assets • Online assets include multiple web applications • Traditional network based security services • Anti-Phishing efforts 24
USF: Before OWASP • Fiscal Year 2007 • Web Application security reviews • Utilized only outside security firms • USF security group handled remediation tasks • Request for additional details on review findings represented additional costs • Average engagement cost: $8,000 per siteWeb App Security reviews for 2007 = 30 sites or $240,000 total cost 25
USF: With OWASP • Fiscal Year 2008 • Web Application security reviews • Utilized only internal security analysts • Used the OWASP Testing Guide v2 plus WebScarab as their standard for testing web applications • Printed guide copies for all 8 analysts for $200 • USF security group handles remediation tasks • Average engagement cost: $0 per site • Assumes salaries are a fixed cost • No new staff added for this effort • Assessed 48 sites in 2008 26
USF: With OWASP Web App Security review costs: 2007 $240,000 (30 sites x $8,000/site)2008 $200 for 48 sites (printing costs)If 2008 didn't have OWASP: $384,000 (48 sites x $8,000/site)OWASP Savings = $383,800 in year 1 27
USF: The Pros with OWASP • Cost reduction will continue past year 1 • Accomplished more reviews at a lower cost • Time to assess should trend down • Reports are standardized now • Different vendor = different reporting in prior years • Standard reporting = better trend analysis • Increased Efficiency in remediation • Analysts better understand the reported findings • Analysts can better address audit questions • Annual audits from Govn't & parent company • Federal auditors praised the “well developed internal review process” 28
USF: The Cons with OWASP • Starting up the program was initially slow • Mid-year efficiency gains allowed them to surpass the 2007 review number in 2008 • Requires strong management support • Must accept the potential for a slow year 1 • At least one analyst must be familiar with application security to lead the effort • Additional training is still needed for some USF analysts • Level out the skills of the analysts • One time cost of $15,000 to $25,000 for on-site, instructor based training 29
Some Personal Anecdotes • OWASP Projects used in my security career • OWASP WebGoat • How I first learned about application security • OWASP WebScarab • Used during many penetration test • OWASP Live CD • My current preferred App Sec testing environment • OWASP Testing Guide • Used in creating reports during security reviews • OWASP Legal Project • Utilized language from the project to add security language to our procurement process documents 30
Challenges in Security Assurance • Relatively new to most organizations • Non-existent in the SMB space • Most don’t know what they are assuring against • If they do know what they are assuring against, its not consistently validated over time 33
Prescriptive Advice • Simplify!!! • Create Roadmap • Standardize • Follow a Methodology • Define Key Metrics • Measure over time 34
OWASP ASVS Provides Methodology for Security Assurance • The OWASP Application Security Verification Standard (ASVS) defines a standard for conducting app sec verifications. • Covers automated and manual approaches for external testing and code review techniques • Recently created and already adopted by several companies and government agencies • Benefits • Standardizes the coverage and level of rigor used to perform app sec assessments • Allows for better comparisons http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project 36
OWASP Testing Guide • Provides a “best practice” penetration framework and a “low level” penetration testing guide that describes techniques for testing web applications. • Version 3 is the latest and is a 349 page book • Tests split into 9 sub-categories with 66 controls to test • Benefits • Ready made testing framework • Great categories and identifiers for reporting • Excellent to augment skills of analysts • http://www.owasp.org/index.php/Category:OWASP_Testing_Project 37
Threat Modeling & Security Architecture • OWASP ASDR • Provides internal taxonomy of terms for the enterprise • Great reference material for application security • OWASP’s ‘man page’ for appsec related terms • Perfect for building threat modeling content 38
OWASP Testing Guide S-SDLC/ Building Security-In 40
Challenges in Development & QA Groups • No time for security at the DEV stage • Security is an after thought • Perception: Security is blowing smoke up my @$$ (FUD) • Security architecture is non-existent • Groups don’t have time to learn about security • PMs don’t have time to wait for security requirements to be factored in • No executive sponsorship to forcing security requirements in apps. • Myopic developers are only seeing functional code design 41
List of Cheats • ClickjackingDefense Cheat Sheet • C-Based Toolchain Hardening Cheat Sheet • Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet • Cryptographic Storage Cheat Sheet • DOM based XSS Prevention Cheat Sheet • Forgot Password Cheat Sheet • HTML5 Security Cheat Sheet • Input Validation Cheat Sheet • JAAS Cheat Sheet • Logging Cheat Sheet • .NET Security Cheat Sheet • OWASP Top Ten Cheat Sheet • Password Storage Cheat Sheet • Pinning Cheat Sheet • Query Parameterization Cheat Sheet • Ruby on Rails Cheat sheet • REST Security Cheat Sheet • Session Management Cheat Sheet • SQL Injection Prevention Cheat Sheet • Transport Layer Protection Cheat Sheet • Unvalidated Redirects and Forwards Cheat Sheet • User Privacy Protection Cheat Sheet • Web Service Security Cheat Sheet • XSS (Cross Site Scripting) Prevention Cheat Sheet • Attack Surface Analysis Cheat Sheet • XSS Filter Evasion Cheat Sheet • REST Assessment Cheat Sheet • IOS Developer Cheat Sheet • Mobile Jailbreaking Cheat Sheet • OpSec Cheat Sheets (Defender) • Virtual Patching Cheat Sheet 43
Cheat Snippets • Insecure Direct object references • It may seem obvious, but if you had a bank account REST web service, you have to make sure there is adequate checking of primary and foreign keys: • https://example.com/account/325365436/transfer?amount=$100.00&toAccount=473846376 • In this case, it would be possible to transfer money from any account to any other account, which is clearly insane. Not even a random token makes this safe. • https://example.com/invoice/2362365 • In this case, it would be possible to get a copy of all invoices. • Please make sure you understand how to protect against insecure direct object references in the OWASP Top 10 2010. • Java Regex Usage Example • Example validating the parameter “zip” using a regular expression. • private static final Pattern zipPattern = Pattern.compile("^\d{5}(-\d{4})?$"); • public void doPost( HttpServletRequest request, HttpServletResponse response) { • try { • String zipCode = request.getParameter( "zip" ); • if ( !zipPattern.matcher( zipCode ).matches() { • throw new YourValidationException( "Improper zipcode format." ); • } • .. do what you want here, after its been validated .. • } catch(YourValidationException e ) { • response.sendError( response.SC_BAD_REQUEST, e.getMessage() ); • } • } 44
OWASP AntiSamy • OWASP AntiSamy is an API for ensuring user-supplied HTML/CSS is compliant within the applications rules. • API plus implementations • Java, .Net, Coldfusion, PHP (HTMLPurifier) • Benefits • It helps you ensure that clients don't supply malicious code into your application • A safer way to allow for rich content from an application's users http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project 46
OWASP CSRFGuard • OWASP CSRFGuard utilizes request tokens to address Cross-Site Request Forgery. CSRF is an attack where the victim is tricked into interacting with a website where they are already authenticated. • Java, .Net and PHP implementations • CSRF is considered the app sec sleeping giant • Benefits • Provides code to generate unique request tokens to mitigate CSRF risks http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project 47
OWASP ESAPI • OWASP Enterprise Security API (ESAPI) is a free and open collection of all the security methods that a developer needs to build a secure web application. • API is fully documented and online • Implementations in multiple languages • Benefits • Provides a great reference • Implementation can be adapted/used directly • Provides a benchmark to measure frameworks http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API 48
OWASP Top Ten • The OWASP Top Ten represents a broad consensus of what the most critical web application security flaws are. • Adopted by the Payment Card Industry (PCI) • Recommended as a best practice by many government and industry entities • Benefits • Powerful awareness document for web application security • Great starting point and reference for developers http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 50
