Top 10 Web Security Controls March 2012 Top

Top 10 Web Security Controls March 2012 Top

Top 10 Web Security Controls March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 1 Jim Manico VP Security Architecture, WhiteHat Security 15 years of web-based, database-driven software development and analysis experience Over 7 years as a provider of secure developer training courses for SANS, Aspect Security and others OWASP Connections Committee Chair OWASP Podcast Series Producer/Host OWASP Cheat-Sheet Series Manager March 2012 Top Ten Controls v4.1

Jim Manico and Eoin Keary Page 2 (1) Query Parameterization (PHP PDO) $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)"); $stmt->bindParam(':name', $name); $stmt->bindParam(':value', $value); March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 3 Query Parameterization (.NET) SqlConnection objConnection = new SqlConnection(_ConnectionString);

objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PasswordTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader(); if (objReader.Read()) { ... March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 4 Query Parameterization (Java) double newSalary = request.getParameter(newSalary) ;

int id = request.getParameter(id); PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?"); pstmt.setDouble(1, newSalary); pstmt.setInt(2, id); Query safeHQLQuery = session.createQuery("from Inventory where productID=:productid"); safeHQLQuery.setParameter("productid", userSuppliedParameter); March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 5 Query Parameterization (Ruby) # Create Project.create!(:name => 'owasp') # Read

Project.all(:conditions => "name = ?", name) Project.all(:conditions => { :name => name }) Project.where("name = :name", :name => name) # Update project.update_attributes(:name => 'owasp') # Delete Project.delete(:name => 'name') March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 6 Query Parameterization (Cold Fusion) SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID =

March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 7 Query Parameterization (PERL) my $sql = "INSERT INTO foo (bar, baz) VALUES ( ?, ? ); my $sth = $dbh->prepare( $sql ); $sth->execute( $bar, $baz ); March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 8

XSS: Why so Serious? Session hijacking Site defacement Network scanning Undermining CSRF defenses Site redirection/phishing Load of remotely hosted scripts Data theft Keystroke logging March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 9 Danger: Multiple Contexts Browsers have multiple contexts that must be considered! HTML HTML Body

Attributes

March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 29 (9a) Secure Password Storage public String hash(String plaintext, String salt, int iterations) throws EncryptionException { byte[] bytes = null;

try { MessageDigest digest = MessageDigest.getInstance(hashAlgorithm); digest.reset(); digest.update(ESAPI.securityConfiguration().getMasterSalt()); digest.update(salt.getBytes(encoding)); digest.update(plaintext.getBytes(encoding)); // rehash a number of times to help strengthen weak passwords bytes = digest.digest(); for (int i = 0; i < iterations; i++) { digest.reset(); bytes = digest.digest(bytes); } String encoded = ESAPI.encoder().encodeForBase64(bytes,false); return encoded; } catch (Exception ex) { throw new EncryptionException("Internal error", "Error"); }} March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 30

(9b) Password Security Defenses Disable Browser Autocomplete

Password and form fields Input type=password Additional

password security Do not display passwords in HTML document Only submit passwords over HTTPS March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 31 (10) Encryption in Transit (TLS) Authentication credentials and session identifiers must me be encrypted in transit via HTTPS/SSL Starting when the login form is rendered Until logout is complete All other sensitive data should be protected via HTTPS! https://www.ssllabs.com free online assessment of public facing server HTTPS configuration https://www.owasp.org/index.php/Transport_Layer_P

rotection_Cheat_Sheet for HTTPS best practices March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 32 Thank you! Questions? [email protected] [email protected] March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 33

Recently Viewed Presentations

  • The CUNY ERP Project

    The CUNY ERP Project

    CUNY-CIS InfoSec Team Functional Project Manager (s) ERP Campus Executive University Information Security Director University & Campus Administration ERP Project Director Manager, PeopleSoft Application Security CUNY-CIS InfoSec Team Security Policy & Procedure Adoption Approver of new & modified Role &...
  • 8.5 MOTIONS OF EARTH, THE MOON, AND PLANETS

    8.5 MOTIONS OF EARTH, THE MOON, AND PLANETS

    Earth's axis is tilted 23.5o from the vertical. Earth's tilt causes the changein seasons: When Earth is tilted . towards. the sun; in the northern hemisphere sunlight spreads over a . smaller area . so there is intense heating of...
  • Welcome to Kindergarten Curriculum Night

    Welcome to Kindergarten Curriculum Night

    RAZ kids (November) - online computer reading program that we use in class too. Writing Workshop. A few things I want you to know: We write stories in kindergarten. We learn about different types of writing. Phonetic spelling is OKAY!...
  • Technology Careers In Your Future?

    Technology Careers In Your Future?

    Supervised and ran the first SCIF (a U.S. Government accredited facility where Sensitive Compartmented Information (SCI) can be stored, discussed or electronically processed) at the Headquarters, National Aeronautics and Space Administration (NASA) to integrate potential use of the NASA Space...
  • Formal and Informal Asssessments: What Are Some Options?

    Formal and Informal Asssessments: What Are Some Options?

    Checklist for Analyzing Performance Problems (Mager & Pipe (1997) What is the performance discrepancy? Why is there said to be a problem? What is the actual performance at issue? What is the desired performance? Checklist for Analyzing Performance Problems (Mager...
  • Poetry Terms - Humble Independent School District

    Poetry Terms - Humble Independent School District

    Poetry Terms 1. Alliteration - repetition of beginning consonant sounds 2.Ballad - a narrative poem, often of folk origin and intended to be sung 3. Cinquain - A type of poem that gets its name from the fact that it...
  • Hazardous Energy Isolation

    Hazardous Energy Isolation

    Mechanical (e.g. gravity systems, or spring energy) Chemical (e.g. storage vessels or pipelines containing toxic/hazardous chemicals and hydrocarbon/petrol products) Thermal (e.g. hot oil lines used to heat heavy fuel oil tanks/pipe work) Pressurized Liquids/Gases (e.g. hydrocarbons/petrol, steam)
  • Preaching fiction as fact: The ethical limits in

    Preaching fiction as fact: The ethical limits in

    During closing argument, plaintiffs' counsel told the jury that if a "magic button" were placed in front of Mrs. Williams, a juror, and $6 million were placed in front of Mr. Brooks, another juror, the plaintiffs would walk past the...