Secure Web Application Development Seminar (Language Neutral Edition)

Introduction: Misconceptions

• Misconception #1
• Security: The Complete Picture
• TJX: Anatomy of a Disaster?
• So What is the Point?
• 2012 Attacks Continued to Evolve
• Causes of Data Breaches
• Heartland – Slipping Past PCI Compliance
• What's the Point?
• Verizon’s 2012 Data Breach Report
• 360M Down to 4M in 2010???
• US Secret Service Continued to Battle
• Verizon’s 2013 Data Breach Report
• The Numbers are Abstract, but…
• Are You Concerned Yet?
• Verizon AppSec Recommendations

Foundation

Security Concepts

• Motivation: Cost of Security Defects
• Motivations: Organizations and Standards
• Open Web Application Security Project
• Web Application Security Consortium
• Assets are the Targets
• Denial of Service
• Case Study Asset Analysis
• The Context for Defensive Coding
• Attackers Not Hackers
• Mantra of Information Security
• Architectures and Architects
• Security Activities Cost Resources
• Timeline of Activities
• Secure Software Harder to Achieve
• Threat Modeling
• System/Trust Boundaries

Principles of Information Security

• Security Is a Lifecycle Issue
• What is Bolted on Versus Baked In?
• Minimize Attack Surface Area
• Examples of Minimization
• Defense in Depth
• Manage Resources
• Layers of Defense: Tenacious D
• Compartmentalize
• Consider All Application States
• Do NOT Trust the Untrusted
• Security Defect Mitigation
• Learning From Vulnerabilities
• Recent Incidents

Vulnerabilities

Unvalidated Input

• Describing Vulnerabilities
• Unvalidated Input: Description
• Buffer Overflows
• Format String Attacks
• Null Byte Injection Attacks
• Integer Arithmetic Vulnerabilities
• Unvalidated Input: From the Web
• Hidden Values in HTTP Communications
• Detection Through Fuzz Testing
• Unvalidated Input: Fixes
• Define System and Trust Boundaries
• Focus on Each Trust Boundary
• Defending Trust Boundaries

Overview of Regular Expressions

• Regular Expressions
• Regex Content
• Character Sets and Alternation
• Additional Constructs
• Repetition

Broken Access Control

• Access Control Issues
• Broken Access Control: Description
• Excessive Privileges
• Insufficient Flow Control/Forceful Browsing
• Primary Concerns in URL/Resource Access
• Unprotected URL/Resource Access: Fixes
• Protecting Sessions
• Addressing Client-Side Caching of Content

Broken Authentication

• Broken Authentication: Description
• Broken Quality/DoS: Description
• Broken Quality/DoS: Fixes
• Layers of Defense: Tenacious D
• Principles of Layered Defense
• Authentication Data: Description
• Single Sign-on (SSO) is Authentication Data
• Broken Authentication Data: Description
• Broken Authentication Data: Fixes
• Username/Password Creation Process
• Authentication Process Compares Credentials
• Protecting SSO Tokens Similar to Session IDs
• Protecting SSO Security Domains
• Broken Authentication Data: Fixes
• Handling Passwords on Server Side
• Authentication Challenge Mechanisms
• Stronger Authentication Mechanisms
• Defending Authentication

Cross Site Scripting (XSS)

• Cross-Site Scripting (XSS): Description
• Initial Goal of Attacker: Insert Content
• Ultimate Goal of Attacker: Get User to “touch” Location
• XSS: Description
• XSS: Symptoms and Detection
• Tenacious D
• XSS: Fixes
• Character Encodings for <
• Responding to Error State
• Best Practices for Untrusted Data
• Defending Against XSS

Injection

• SQL Injection Continues to be Prevalent
• Injection Flaws: Description
• Injection Flaws: Symptoms and Detection
• SQL Injection Examples
• SQL Injection Attacks Evolve
• Attackers have a Variety of Tools
• SQL Injection: Drill Down on Stored Procedures
• SQL Injection: Drill Down on ORM
• Minimize SQL Injection Vulnerabilities
• Command Injection Vulnerabilities
• LDAP Injection Vulnerabilities
• Server-Side Include (SSI) Injection Vulnerabilities
• Minimizing Injection Flaws
• Defending Against SQL Injection

Error Handling and Information Leakage

• Fingerprinting a Web Site
• Not acceptable….For ANY Web Page
• Really….For ANY Web Page
• Error-Handling Issues
• Error Handling: Description
• Error Handling: Fixes
• Logging In Support of Forensics
• Additional Measures in Support of Forensics
• Auditing
• How Does Information Leak?
• Vendors Defined Data Loss Prevention (DLP)
• Solving DLP Challenges
• What and Where
• Things to NOT Do Relative to DLP
• Things TO do Relative to DLP
• Error Handling

Insecure Data Handling

• Sony Illustrates Importance of Handling Data
• Protecting Data Can Mitigate Impact
• Insecure Data Handling: Description
• Insecure Data Handling: Fixes
• In-Memory Data Handling
• Secure Pipe
• Transport-Level Security
• Secure Sockets Layer (SSL)
• SSL In Action
• Failures in the SSL Framework Are Appearing
• BEAST Injects JavaScript into SSL Session
• Defending Sensitive Data

Insecure Configuration Management

• Insecure Configuration: Description
• System Hardening
• Insecure Configuration: Fixes

Direct Object Access

• Dynamic Loading: Description
• Dynamic Loading: Fixes
• Race Conditions
• Direct Object References

Spoofing and Redirects

• Spoofing: Description
• Name Resolution Vulnerabilities
• Targeted Spoofing Attacks Can be Damaging
• Attacks are Constant and Changing
• Spoofing: Fixes
• Cross Site Request Forgeries (CSRF)
• How To Get Victim To Select URL?
• CSRF Defenses are Entirely Server-Side
• CSRF Defenses are Evolving
• Redirects and Forwards
• Safe Redirects and Forwards

Understanding What’s Important

• Common Vulnerabilities and Exposures
• OWASP Top Ten
• Caveats and Context
• OWASP Top Ten for 2013
• How Many Principles Can be Violated?
• CWE/SANS Top 25 Most Dangerous SW Errors
• Monster Mitigations
• Defense In Depth - Layered Defense
• Defense in Depth – An Example
• Defense in Depth – Damage Control
• Strength Training: Project Teams/Developers
• Strength Training: IT Organizations

Defending XML Processing

Defending XML

• Common Solutions to Big Three
• XML Challenges
• XML Signature
• XML Signature Usage
• Example of Digital Signature
• XML Encryption
• XML Encryption Usage
• XML Encryption Protects Data
• XML Attacks: Structure
• CDATA Injection
• XML Attacks: Injection
• XPath Injection Flaws: Description
• XPath Injection
• Safe XML Processing
• Dynamic Loading Using XSLT

Defending Web Services

• Securing a Web service
• Web Service Security Exposures
• Transport-Level Security
• When Transport-Level Alone is NOT Enough
• Message-Level Security
• Web Services Security Roadmap
• WS-Security Enables Interoperability
• Security Tokens
• Example of Security Token
• Message Authentication
• XML Signature and Encryption
• Picture is Still Evolving
• Known Common Web Service Attacks
• Implementing WS-Security Securely
• Web Service Appliance/Gateways
• Networking Devices Targeting XML
• Support Message Level Security
• Device Usage Scenario: Authentication
• Common Mistakes
• SOAP WSDL Exposure
• SOAP Attacks
• Web Services DoS
• OWASP Top 10 – Still Relevant?
• Securing Web Services
• Web Service Attacks

Defending Ajax

• What Is AJAX?
• Why Use AJAX?
• AJAX Security – Summary
• How Attackers See AJAX
• Attack Surface Change When Moving to AJAX
• AJAX Privacy Concerns
• Factors that Increase Attack Surface
• Injection and Cookie Tampering
• Data Tampering
• Cross Site Scripting
• CSRF Attacks are of Concern
• Bridging
• Bridging and its Potential Problems
• Bridges Must be Properly Managed
• Dangerous Developer Assumptions
• High Level Recommendations (Client Side)
• Three Basic Tenets for Safe AJAX
• AJAX Security Resources

Processes

• SSD Process Overview
• Asset, Boundary, and Vulnerability Identification
• Vulnerability Response
• Design and Code Reviews
• Applying Processes and Practices
• Risk Analysis

Security Testing

• Testing as Lifecycle Process
• Testing Planning and Documentation
• Testing Tools And Processes
• Static and Dynamic Code Analysis
• Testing Practices