Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Secure	
  Coding	
  for	
  Java	
  (an	
  introduc3on)
Java	
  User	
  Group	
  Poitou-­‐Charentes	
  (Niort)
27	
  Juin	
...
http://www.google.fr/#q=sebastien gioria
‣OWASP France Leader & Founder &
Evangelist
‣Innovation & Technology @ Advens
Twi...
ForeWords
• This	
  is	
  a	
  presenta,on	
  made	
  from	
  my	
  own	
  
experience	
  with	
  some	
  company	
  using...
• Applica,on	
  Security	
  :
–where	
  we	
  are	
  (no	
  bullshit)
–where	
  we	
  are	
  (hopefully)	
  
going	
  ?
• ...
Introduc3on
5
Friday, June 28, 13
Why	
  Applica0on	
  Security	
  ?
6
Friday, June 28, 13
Why	
  Applica0on	
  Security	
  ?
6
Your
Application
been Hacked
Friday, June 28, 13
Why	
  Applica0on	
  Security	
  ?
6
Your
Application
been Hacked
YES
Friday, June 28, 13
Why	
  Applica0on	
  Security	
  ?
6
Your
Application
been Hacked
NO
YES
Friday, June 28, 13
Why	
  Applica0on	
  Security	
  ?
6
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
NO
YES
Friday, June 2...
Why	
  Applica0on	
  Security	
  ?
6
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
YES
Friday, Ju...
Why	
  Applica0on	
  Security	
  ?
6
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
NO
YES
Friday,...
Why	
  Applica0on	
  Security	
  ?
6
Let Me take
you on the
right way
Your
Application
will be
Hacked ;)
Your
Application
...
Why	
  Applica0on	
  Security	
  ?
6
My Application will be
hacked !
Let Me take
you on the
right way
Your
Application
wil...
Why	
  Applica0on	
  Security	
  ?
6
My Application will be
hacked !
Let Me take
you on the
right way
Your
Application
wil...
We	
  are	
  living	
  in	
  a	
  Digital	
  environment,	
  in	
  a	
  Connected	
  World
vMost	
  of	
  websites	
  vul...
Consequences	
  of	
  bad	
  or	
  no	
  security
–IdenPty	
  theQ
–Hardware	
  theQ
–IT	
  downPme	
  
–Bad	
  Media	
  c...
What	
  Verizon	
  (PCI-­‐DSS	
  company)	
  
said	
  ?
©	
  Verizon	
  2012
9
Friday, June 28, 13
What	
  Verizon	
  (PCI-­‐DSS	
  company)	
  
said	
  ?
©	
  Verizon	
  2012
9
Friday, June 28, 13
What	
  Verizon	
  (PCI-­‐DSS	
  company)	
  
said	
  ?
©	
  Verizon	
  2012
9
Friday, June 28, 13
What	
  Verizon	
  (PCI-­‐DSS	
  company)	
  
said	
  ?
©	
  Verizon	
  2012
9
Friday, June 28, 13
What	
  Verizon	
  (PCI-­‐DSS	
  company)	
  
said	
  ?
©	
  Verizon	
  2012
9
Friday, June 28, 13
What	
  Verizon	
  (PCI-­‐DSS	
  company)	
  
said	
  ?
©	
  Verizon	
  2012
9
Friday, June 28, 13
What	
  Verizon	
  (PCI-­‐DSS	
  company)	
  
said	
  ?
©	
  Verizon	
  2012
9
Friday, June 28, 13
©	
  Verizon	
  2012
Verizon	
  Study
10
Friday, June 28, 13
©	
  Verizon	
  2012
Verizon	
  Study
10
Friday, June 28, 13
©	
  Verizon	
  2012
Verizon	
  Study
10
Friday, June 28, 13
©	
  Verizon	
  2012
Verizon	
  Study
10
Friday, June 28, 13
©	
  Verizon	
  2012
Verizon	
  Study
10
Friday, June 28, 13
©	
  Verizon	
  2012
Verizon	
  Study
10
Friday, June 28, 13
Verizon	
  study	
  
11
©	
  Verizon	
  2012
Friday, June 28, 13
Verizon	
  study	
  
11
©	
  Verizon	
  2012
Friday, June 28, 13
12
(c)	
  WhiteHatSecurity	
  2013
Friday, June 28, 13
12
(c)	
  WhiteHatSecurity	
  2013
Friday, June 28, 13
12
(c)	
  WhiteHatSecurity	
  2013
Friday, June 28, 13
12
(c)	
  WhiteHatSecurity	
  2013
Friday, June 28, 13
What	
  you	
  CIO	
  Said	
  :	
  I	
  got	
  a	
  Firewall	
  !	
  
27
Friday, June 28, 13
What	
  your	
  business	
  user	
  said	
  :	
  I	
  
have	
  SSL	
  based	
  Web	
  Site
28
Friday, June 28, 13
What	
  your	
  business	
  user	
  said	
  :	
  only	
  the	
  
hacker	
  can	
  aMack	
  my	
  website
• Tools	
  are	
 ...
What	
  your	
  user	
  said	
  :	
  a	
  vulnerability	
  on	
  
internal	
  ApplicaPon	
  is	
  not	
  criPcal.
• No,	
 ...
But	
  I	
  do	
  Security	
  tesPng	
  !	
  
17
Security	
  Tes3ng
Coding
Friday, June 28, 13
Majors OWASP
publications you can use
All are on the wiki https://www.owasp.org
All are under GPL or friendly licenses
...
Friday, June 28, 13
Learn
Friday, June 28, 13
Learn
Friday, June 28, 13
Learn Contract
Friday, June 28, 13
Learn Contract
Friday, June 28, 13
Learn Contract Design
Friday, June 28, 13
Learn Contract Design
Friday, June 28, 13
Learn Contract Design
Build
Friday, June 28, 13
Learn Contract Design
Build
Friday, June 28, 13
Learn Contract
Test
Design
Build
Friday, June 28, 13
Learn Contract
Test
Design
Build
Friday, June 28, 13
Learn Contract
Test
Design
Build Progress
Friday, June 28, 13
Learn Contract
Test
Design
Build Progress
Friday, June 28, 13
OWASP	
  Applica,on	
  Security	
  Verifica,on	
  Standard
20
Friday, June 28, 13
What	
  is	
  ASVS	
  ?
• A	
  standard	
  that	
  provides	
  a	
  basis	
  for	
  the	
  
verificaPon	
  of	
  web	
  app...
What	
  are	
  ASVS	
  responses	
  ?
• How	
  much	
  trust	
  can	
  be	
  placed	
  in	
  a	
  web	
  
applicaPon?
• Wh...
ASVS	
  secure	
  controls	
  
requirements
Security Area
Level
1A
Level
1B
Level
2A
Level
2B
Level 3 Level 4
V1 – Securit...
But	
  ASVS	
  stand	
  for	
  VerificaPon	
  ?
• ASVS	
  just	
  said	
  funcPonals	
  needs	
  for	
  controls.	
  
• You...
Using	
  ASVS	
  as	
  a	
  secure	
  coding	
  
policy
• ASVS	
  :	
  Verify	
  that	
  all	
  password	
  fields	
  do	
 ...
Posi,ve	
  aatude
Nega0ve
The	
  tester	
  shall	
  search	
  for	
  XSS	
  holes
Posi0ve
Verify	
  that	
  the	
  app...
OWASP	
  Secure	
  Coding	
  Prac3ces
27
Friday, June 28, 13
OWASP	
  Secure	
  Coding	
  PracPces
• Small	
  document	
  (only	
  9	
  pages)
• Could	
  be	
  use	
  as	
  an	
  simp...
Secure	
  Coding	
  PracPces	
  Contents
• Input	
  ValidaPon
• Output	
  Encoding
• AuthenPcaPon	
  and	
  
Password	
  M...
Now	
  the	
  torture	
  room
30
Friday, June 28, 13
(extracts	
  from	
  OWASP	
  Secure	
  Coding	
  
Prac0ces/OWASP	
  CheatSheets	
  OWASP	
  
ASVS,	
  ...)
Let	
  talk	
 ...
Some	
  secures	
  principles	
  to	
  follow
32
•Deep	
  defense	
  of	
  applica,on	
  is	
  mandatory	
  
• Following	
...
Deep	
  defense	
  of	
  a	
  Web	
  Applica0on	
  (example)
70
Fi
re
w
all
Applica0onWeb	
  Apps
SGBDApp ServerWeb
Server...
Fail	
  securely
• Don’t	
  give	
  user	
  technical	
  details	
  of	
  the	
  error/crash.
• Clean	
  state	
  or	
  us...
Fail	
  securely
• Don’t	
  give	
  user	
  technical	
  details	
  of	
  the	
  error/crash.
• Clean	
  state	
  or	
  us...
Don’t	
  try	
  to	
  make	
  obscure	
  things
72
Friday, June 28, 13
Don’t	
  try	
  to	
  make	
  obscure	
  things
72
GEOPORTAIL
Friday, June 28, 13
Don’t	
  try	
  to	
  make	
  obscure	
  things
72
Friday, June 28, 13
Don’t	
  try	
  to	
  make	
  obscure	
  things
72
GOOGLE MAPS
Friday, June 28, 13
• ObfuscaPon	
  is	
  not	
  the	
  soluPon
• There	
  is	
  someone	
  in	
  the	
  matrix	
  who	
  will	
  send	
  you	...
Controls
• Controls	
  need	
  :
–to	
  be	
  simple
–to	
  be	
  used	
  correctly
–funcPonal
–present	
  in	
  every	
  ...
Minimals	
  controls	
  to	
  have
• You	
  must	
  have	
  at	
  least	
  this	
  components	
  in	
  
your	
  applicaPon...
Authen3ca3on
39
Friday, June 28, 13
Implement	
  good	
  passwd	
  strategy
• Password	
  length
-­‐ Categorize	
  applicaPons	
  :	
  
• Important	
  :	
  at...
Implement	
  good	
  passwd	
  strategy
•Let	
  the	
  user	
  choose	
  it
•Force	
  the	
  user	
  to	
  change	
  it	
 ...
MulP-­‐Factor	
  authenPcaPon
•Passwds	
  are	
  bad
•Passwds	
  are	
  guessable
•MulP-­‐factor	
  combine:	
  
–somethin...
Implement	
  good	
  global	
  strategy
• Ask	
  second	
  authenPcaPon	
  for	
  criPcal	
  
transacPons	
  (with	
  mulP...
How	
  to	
  do	
  ?	
  
• Authen0cate	
  all	
  pages	
  but	
  not	
  public	
  pages	
  (login,	
  
logout,	
  help,	
 ...
• Good	
  Regex	
  for	
  a	
  passwd	
  complexity	
  :	
  
• Good	
  Storage	
  of	
  	
  password	
  with	
  SALT
45
(?...
Session	
  Management
46
Friday, June 28, 13
Session	
  
• Use	
  Default	
  Java	
  Framework	
  Generator
• Use	
  other	
  name	
  than	
  the	
  default	
  name	
 ...
Session	
  tricky
• AutomaPc	
  expiraPon
–categorize	
  applicaPons	
  :
• default	
  :	
  1	
  hour
• cri0cal	
  (some	
...
Browser	
  defenses
• Bind	
  JavaScript	
  events	
  to	
  close	
  session	
  
–on	
  window.close()
–on	
  window.stop(...
50
<session-­‐config>
	
  	
  <cookie-­‐config>
	
  	
  	
  	
  <http-­‐only>true</http-­‐only>
	
  	
  	
  	
  <secure>tr...
 Access	
  Controls
107
Friday, June 28, 13
Remember
Friday, June 28, 13
Remember
(1)Without	
  access	
  control,	
  you	
  can’t	
  control	
  
the	
  user	
  in	
  your	
  applica,on
Friday, J...
Remember
(1)Without	
  access	
  control,	
  you	
  can’t	
  control	
  
the	
  user	
  in	
  your	
  applica,on
(2)All	
 ...
Authen0ca0on	
  &	
  Authoriza0on
• Two	
  Levels	
  of	
  authenPcaPon	
  and	
  authorizaPon	
  
are	
  needed
–In	
  th...
AuthorizaPon
• Have	
  in	
  mind	
  the	
  rule	
  :	
  
–Nothing	
  	
  by	
  default
• Centralize	
  all	
  authorizaPo...
AuthorizaPon
• Enforce	
  :
– protec0on	
  of	
  URL	
  to	
  authorized	
  account	
  only
– protec0on	
  of	
  func0on	
...
Valida3on	
  of	
  Data
56
Friday, June 28, 13
Input	
  ValidaPon
• Ensure	
  all	
  data	
  validaPon	
  are	
  done	
  on	
  THE	
  SERVER.
–If	
  you	
  do	
  somethi...
Border	
  validaPon
• Consider	
  validaPng	
  data	
  along	
  all	
  the	
  entry	
  points	
  
of	
  your	
  ApplicaPon...
Input	
  ValidaPon
• Use	
  proper	
  characters	
  set	
  for	
  all	
  input
• Encode	
  all	
  data	
  to	
  the	
  sam...
Input	
  ValidaPon
• Be	
  careful	
  of	
  using	
  “hazardous”	
  characters	
  (ex:	
  <>’,”!
(+)&	
  %.)
• Add	
  spec...
Be	
  careful	
  of	
  encoding	
  for	
  specific	
  
valida0on...
URL
%3c%73%63%72%69%70%74%3e%61%6c
%65%72%74%28%58%53%5...
Validate	
  Datas
124
Friday, June 28, 13
SQL	
  =>	
  bad
125
Friday, June 28, 13
SQL	
  =>	
  bad
125
Friday, June 28, 13
SQL	
  =>	
  bad
125
Friday, June 28, 13
SQL	
  =>	
  a	
  liEle	
  bit	
  beEer
126
Friday, June 28, 13
List	
  results	
  =	
  entityManager.createQuery("Select	
  order	
  from	
  Orders	
  order	
  where	
  order.id	
  =	
 ...
List	
  results	
  =	
  entityManager.createQuery("Select	
  order	
  from	
  Orders	
  order	
  where	
  order.id	
  =	
 ...
List	
  results	
  =	
  entityManager.createQuery("Select	
  order	
  from	
  Orders	
  order	
  where	
  order.id	
  =	
 ...
List	
  results	
  =	
  entityManager.createQuery("Select	
  order	
  from	
  Orders	
  order	
  where	
  order.id	
  =	
 ...
List	
  results	
  =	
  entityManager.createQuery("Select	
  order	
  from	
  Orders	
  order	
  where	
  order.id	
  =	
 ...
List	
  results	
  =	
  entityManager.createQuery("Select	
  order	
  from	
  Orders	
  order	
  where	
  order.id	
  =	
 ...
XML	
  =>	
  bad
127
Friday, June 28, 13
XML	
  =>	
  bad
127
Friday, June 28, 13
XML	
  =>	
  ValidaPng	
  via	
  regexp/white	
  
list
128
Friday, June 28, 13
BeEer,	
  a	
  XML	
  schema
<xs:schema	
  xmlns:xs="hTp://www.w3.org/2001/XMLSchema">	
  
<xs:element	
  name="item">	
  ...
XML	
  =>	
  XML	
  Parser	
  validaPon
Friday, June 28, 13
LDAP	
  =>	
  bad
131
Friday, June 28, 13
LDAP	
  =>	
  bad
131
Friday, June 28, 13
LDAP	
  =>	
  beEer
132
Friday, June 28, 13
Using	
  OWASP	
  ESAPI
72
Friday, June 28, 13
Output	
  Encoding
73
Friday, June 28, 13
Output	
  encoding
• It’s	
  a	
  Defense	
  in	
  depth	
  mechanism
• Encode	
  ON	
  THE	
  SERVER
• Centralize	
  the	...
Essai	
  1	
  =>	
  bad
137
Friday, June 28, 13
Essai	
  1	
  =>	
  bad
137
Friday, June 28, 13
Essai	
  2	
  =>	
  it’s	
  bad,	
  but	
  beTer	
  than	
  
nothing
138
Friday, June 28, 13
Essai	
  2	
  =>	
  it’s	
  bad,	
  but	
  beTer	
  than	
  
nothing
138
Friday, June 28, 13
A	
  good	
  soluPon	
  with	
  a	
  robust	
  
SaniPzer	
  :)
139
Friday, June 28, 13
Error	
  Logging
78
Friday, June 28, 13
Error	
  Handling
Your	
  Applica3on	
  will	
  crash	
  !
• Catch	
  all	
  excep0ons	
  without	
  excep0on	
  (remember...
Logging/Errors
• Split	
  your	
  logs	
  with	
  categories,	
  examples	
  :	
  
–Access
–Error
–Debug
–Audit
• Use	
  l...
Log4J	
  Example
81
import com.sec.dev;
// Import log4j classes.
import org.apache.log4j.Logger;
import org.apache.log4j.B...
Bad	
  handling	
  of	
  ExcepPon
144
Friday, June 28, 13
Bad	
  handling	
  of	
  ExcepPon
144
Friday, June 28, 13
Good	
  Housecleaning
83
try {
SensitiveData sensitiveData = new SensitiveData (“4242424242424242”);
out = new PrintWriter...
BeEer	
  handling	
  of	
  excepPon	
  and	
  
error
145
<error-­‐page>
	
  	
  	
  <excepPon-­‐type>java.lang.Throwable</...
Data	
  Protec3on
85
Friday, June 28, 13
Data	
  protecPon
• Protect	
  sensiPve	
  datas,	
  	
  don’t	
  store	
  them	
  in	
  clear.
• Store	
  sensiPve	
  dat...
Disable	
  Client	
  Side	
  caching
87
import	
  javax.servlet.*;
import	
  javax.servlet.http.HttpServletResponse;
impor...
Access	
  to	
  FileSystem
88
Friday, June 28, 13
Absolute	
  Path	
  is	
  bad
151
Friday, June 28, 13
Absolute	
  Path	
  is	
  bad
151
Friday, June 28, 13
Absolute	
  Path	
  is	
  bad
151
Friday, June 28, 13
Canonicalisa,on	
  is	
  good
90
Friday, June 28, 13
Secure	
  Communica3ons
91
Friday, June 28, 13
Secure	
  CommunicaPons
• Use	
  TLS/SSL	
  :
–at	
  least	
  SSL	
  v3.0/TLS	
  1.0
–minimum	
  of	
  128bits	
  encrypPo...
Force	
  TLS/SSL	
  Response
• Use	
  HTTP	
  Strict	
  Transport	
  Security	
  (HSTS).
–Available	
  on	
  some	
  brows...
ConfiguraPon
94
• Review	
  all	
  properPes,	
  configuraPon	
  files
• Be	
  careful	
  of	
  default	
  passwords...
• Rem...
Now	
  you	
  can	
  protect	
  against	
  him
95
Friday, June 28, 13
 NEWS
A	
  BLOG
A	
  PODCAST
MEMBERSHIPS
MAILING	
  LISTS
A	
  NEWSLETTER
APPLE	
  APP	
  STORE
VIDEO	
  TUTORIALS
TRAININ...
Dates
• AppSec	
  Research	
  Europe	
  2013	
  :	
  20/23	
  Aout	
  –	
  
Hambourg	
  –	
  Allemagne
• Octobre	
  2013	
...
Soutenir	
  l’OWASP
• Différentes	
  soluPons	
  :	
  
–Membre	
  Individuel	
  :	
  50	
  $
–Membre	
  Entreprise	
  :	
  ...
Prochains	
  meePngs
• Septembre	
  2013	
  
–Salle	
  :	
  Mozilla	
  Center	
  Paris
–Speaker	
  :	
  
• Security	
  on	...
License
100
Si	
  vous	
  avez	
  tout	
  suivi	
  vous	
  connaissez	
  le	
  prochain	
  slide....
@SPoint
sebas0en.gior...
Prochain SlideShare
Chargement dans…5
×

Secure Coding for Java - An introduction

1 356 vues

Publié le

Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs

Publié dans : Technologie
  • Identifiez-vous pour voir les commentaires

Secure Coding for Java - An introduction

  1. 1. Secure  Coding  for  Java  (an  introduc3on) Java  User  Group  Poitou-­‐Charentes  (Niort) 27  Juin  2013 Sébas3en  Gioria Sebas0en.Gioria@owasp.org Chapter  Leader  OWASP  France Friday, June 28, 13
  2. 2. http://www.google.fr/#q=sebastien gioria ‣OWASP France Leader & Founder & Evangelist ‣Innovation & Technology @ Advens Twitter :@SPoint / @OWASP_France 2 ‣Application Security group leader for the CLUSIF ‣Proud father of youngs kids trying to hack my digital life. Ne  vous  inquietez  pas  c’est  le  seul  slide  en  anglais,  par  contre  il  y  aura  des  trucs  d’écrits  partout  en  bas... Friday, June 28, 13
  3. 3. ForeWords • This  is  a  presenta,on  made  from  my  own   experience  with  some  company  using   OWASP  materials. • Only  the  documents  from  OWASP  wiki  are   OWASP  officials  (see  hEps://www.owasp.org) • Some  extracts  come  from  document  I  wrote   as  OWASP  leader,  this  is  why  you  could  find  it   elsewhere. 5 Friday, June 28, 13
  4. 4. • Applica,on  Security  : –where  we  are  (no  bullshit) –where  we  are  (hopefully)   going  ? • Using  OWASP  materials  to   secure  code • Secure  Coding  principles Agenda Friday, June 28, 13
  5. 5. Introduc3on 5 Friday, June 28, 13
  6. 6. Why  Applica0on  Security  ? 6 Friday, June 28, 13
  7. 7. Why  Applica0on  Security  ? 6 Your Application been Hacked Friday, June 28, 13
  8. 8. Why  Applica0on  Security  ? 6 Your Application been Hacked YES Friday, June 28, 13
  9. 9. Why  Applica0on  Security  ? 6 Your Application been Hacked NO YES Friday, June 28, 13
  10. 10. Why  Applica0on  Security  ? 6 Your Application will be Hacked ;) Your Application been Hacked NO YES Friday, June 28, 13
  11. 11. Why  Applica0on  Security  ? 6 Your Application will be Hacked ;) Your Application been Hacked YES NO YES Friday, June 28, 13
  12. 12. Why  Applica0on  Security  ? 6 Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Friday, June 28, 13
  13. 13. Why  Applica0on  Security  ? 6 Let Me take you on the right way Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Friday, June 28, 13
  14. 14. Why  Applica0on  Security  ? 6 My Application will be hacked ! Let Me take you on the right way Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Friday, June 28, 13
  15. 15. Why  Applica0on  Security  ? 6 My Application will be hacked ! Let Me take you on the right way Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Next Step Friday, June 28, 13
  16. 16. We  are  living  in  a  Digital  environment,  in  a  Connected  World vMost  of  websites  vulnerable  to  aTacks vImportant   %  of  web-­‐based   Business  (Services,  Online   Store,  Self-­‐care,  Telcos,   SCADA,  ...) Why  Applica0on  Security  ?   Age  of  An0virus Age  of   Network  Security Age  of   Applica0on  Security 7 Friday, June 28, 13
  17. 17. Consequences  of  bad  or  no  security –IdenPty  theQ –Hardware  theQ –IT  downPme   –Bad  Media  coverage –Financials  loss –Customers  loss –Legals/business  penalty   8 Friday, June 28, 13
  18. 18. What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  19. 19. What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  20. 20. What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  21. 21. What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  22. 22. What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  23. 23. What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  24. 24. What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  25. 25. ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  26. 26. ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  27. 27. ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  28. 28. ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  29. 29. ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  30. 30. ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  31. 31. Verizon  study   11 ©  Verizon  2012 Friday, June 28, 13
  32. 32. Verizon  study   11 ©  Verizon  2012 Friday, June 28, 13
  33. 33. 12 (c)  WhiteHatSecurity  2013 Friday, June 28, 13
  34. 34. 12 (c)  WhiteHatSecurity  2013 Friday, June 28, 13
  35. 35. 12 (c)  WhiteHatSecurity  2013 Friday, June 28, 13
  36. 36. 12 (c)  WhiteHatSecurity  2013 Friday, June 28, 13
  37. 37. What  you  CIO  Said  :  I  got  a  Firewall  !   27 Friday, June 28, 13
  38. 38. What  your  business  user  said  :  I   have  SSL  based  Web  Site 28 Friday, June 28, 13
  39. 39. What  your  business  user  said  :  only  the   hacker  can  aMack  my  website • Tools  are  more  and   more  simples. • Try  a  simple  request   on  google  website  on   SQL  InjecPon  and   look  at  it. • An  aEack  on  a  Web   Server  cost  100$/ 200$  per  day  on  the   underground  market. 29 Friday, June 28, 13
  40. 40. What  your  user  said  :  a  vulnerability  on   internal  ApplicaPon  is  not  criPcal. • No,  The  web  is  anywhere,  and  CSRF,  HTML5  CORS   and  more  can  make  this  complete  destrucPve • Be  aware  and  share  this  :   • AJAX  doing  a  lot  of  things  without  you • Be  aware  and  share  this  :   •  HTML5  will  come  with  “nice”  user  funcPonality  ,  but  with   big  impact  on  security  (WebSocket,  CORS,  ...) 30 Friday, June 28, 13
  41. 41. But  I  do  Security  tesPng  !   17 Security  Tes3ng Coding Friday, June 28, 13
  42. 42. Majors OWASP publications you can use All are on the wiki https://www.owasp.org All are under GPL or friendly licenses Majors publications you can use to secure your projects/SDLC Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR) Top10 reference this 3 guides Ø OWASP Top10 Ø Auditor/Testing Guide Ø Code Review Guide Ø Building Guide Ø Application Security Verification Standard (ASVS) Ø Secure Coding Practices 12 Friday, June 28, 13
  43. 43. Friday, June 28, 13
  44. 44. Learn Friday, June 28, 13
  45. 45. Learn Friday, June 28, 13
  46. 46. Learn Contract Friday, June 28, 13
  47. 47. Learn Contract Friday, June 28, 13
  48. 48. Learn Contract Design Friday, June 28, 13
  49. 49. Learn Contract Design Friday, June 28, 13
  50. 50. Learn Contract Design Build Friday, June 28, 13
  51. 51. Learn Contract Design Build Friday, June 28, 13
  52. 52. Learn Contract Test Design Build Friday, June 28, 13
  53. 53. Learn Contract Test Design Build Friday, June 28, 13
  54. 54. Learn Contract Test Design Build Progress Friday, June 28, 13
  55. 55. Learn Contract Test Design Build Progress Friday, June 28, 13
  56. 56. OWASP  Applica,on  Security  Verifica,on  Standard 20 Friday, June 28, 13
  57. 57. What  is  ASVS  ? • A  standard  that  provides  a  basis  for  the   verificaPon  of  web  applicaPons  applicaPon-­‐ independent. • A  standard  life-­‐cycle  model  independent. • A  standard  that  define  requirements  that  can  be   applied  across  applicaPons  without  special   interpretaPon. 43 Friday, June 28, 13
  58. 58. What  are  ASVS  responses  ? • How  much  trust  can  be  placed  in  a  web   applicaPon? • What  features  should  be  built  into  security   controls? • How  do  I  acquire  a  web  applicaPon  that  is   verified  to  have  a  certain  range  in  coverage   and  level  of  rigor? Friday, June 28, 13
  59. 59. ASVS  secure  controls   requirements Security Area Level 1A Level 1B Level 2A Level 2B Level 3 Level 4 V1 – Security Architecture Verification Requirements 1 1 2 2 4 5 V2 – Authentication Verification Requirements 3 2 9 13 13 14 V3 – Session Management Verification Requirements 4 1 6 7 8 9 V4 – Access Control Verification Requirements 5 1 12 13 14 15 V5 – Input Validation Verification Requirements 3 1 5 7 8 9 V6 – Output Encoding/Escaping Verification Requirements 0 1 2 8 9 10 V7 – Cryptography Verification Requirements 0 0 2 8 9 10 V8 – Error Handling and Logging Verification Requirements 1 1 2 8 8 9 V9 – Data Protection Verification Requirements 1 1 2 3 4 4 V10 – Communication Security Verification Requirements 1 0 3 6 8 8 V11 – HTTP Security Verification Requirements 3 3 6 6 7 7 V12 – Security Configuration Verification Requirements 0 0 0 2 3 4 V13 – Malicious Code Search Verification Requirements 0 0 0 0 0 5 V14 – Internal Security Verification Requirements 0 0 0 0 1 3 Totals 22 12 51 83 96 112 23 Friday, June 28, 13
  60. 60. But  ASVS  stand  for  VerificaPon  ? • ASVS  just  said  funcPonals  needs  for  controls.   • You  should  use  it  as  a  Secure  Coding  Policy. ★Don’t  be  medium(ASVS  Level1/2),  just   target  excellence  (ASVS  Level  4) 24 Friday, June 28, 13
  61. 61. Using  ASVS  as  a  secure  coding   policy • ASVS  :  Verify  that  all  password  fields  do  not   echo  the  user’s  password  when  it  is  entered. ➡All  Password  fields  must  be  define  as  HTML   password  fields  and  must  not  echo  user  password.   ➡All  login  forms  must  include  autocomplete=off  tag   • ASVS  :  Verify  that  all  input  validaPon  is   performed  on  the  server  side.   ➡Performs  all  input  valida,on  on  the  server.   Nothing  in  the  browser 25 Friday, June 28, 13
  62. 62. Posi,ve  aatude Nega0ve The  tester  shall  search  for  XSS  holes Posi0ve Verify  that  the  applica0on  performs  input  valida0on  and  output  encoding  on   all  user  input See:  hTp://www.owasp.org/index.php/ XSS_(Cross_Site_Scrip0ng)_Preven0on_Cheat_Sheet 56 Friday, June 28, 13
  63. 63. OWASP  Secure  Coding  Prac3ces 27 Friday, June 28, 13
  64. 64. OWASP  Secure  Coding  PracPces • Small  document  (only  9  pages) • Could  be  use  as  an  simple  checklist  for  your   policy. • Could  be  use  together  with  ASVS  or  alone. • More  technical  and  deeper  approach  than   ASVS  . • Wrote  and  use  by  Boeing  :) 28 Friday, June 28, 13
  65. 65. Secure  Coding  PracPces  Contents • Input  ValidaPon • Output  Encoding • AuthenPcaPon  and   Password  Management • Session  Management • Access  Control • Cryptographic  PracPces • Error  Handling  and  Logging • Data  ProtecPon • CommunicaPon  Security • System  ConfiguraPon • Database  Security • File  Management • Memory  Management • General  Coding  PracPces 29 Friday, June 28, 13
  66. 66. Now  the  torture  room 30 Friday, June 28, 13
  67. 67. (extracts  from  OWASP  Secure  Coding   Prac0ces/OWASP  CheatSheets  OWASP   ASVS,  ...) Let  talk  Secure  Coding  now 31 Friday, June 28, 13
  68. 68. Some  secures  principles  to  follow 32 •Deep  defense  of  applica,on  is  mandatory   • Following  less  privileges  is  the  best  soluPon • Segregate  duty  more  that  user  think ➡Remember  that  applica,on  need  to  answer   user  needs  and  not  security  pleasure. Friday, June 28, 13
  69. 69. Deep  defense  of  a  Web  Applica0on  (example) 70 Fi re w all Applica0onWeb  Apps SGBDApp ServerWeb Server Browser User auth Input Validation Secure configuration Good crash mecanisms • Critical data transport protection • Preventing session and ID theft Critical data protections Logs/Audit of transactions Authorisation and authentication Authorisation and authentication Critical data protectionsPreventing parameters thefts Friday, June 28, 13
  70. 70. Fail  securely • Don’t  give  user  technical  details  of  the  error/crash. • Clean  state  or  use  objects  in  catch  clause 34 Friday, June 28, 13
  71. 71. Fail  securely • Don’t  give  user  technical  details  of  the  error/crash. • Clean  state  or  use  objects  in  catch  clause 34 Friday, June 28, 13
  72. 72. Don’t  try  to  make  obscure  things 72 Friday, June 28, 13
  73. 73. Don’t  try  to  make  obscure  things 72 GEOPORTAIL Friday, June 28, 13
  74. 74. Don’t  try  to  make  obscure  things 72 Friday, June 28, 13
  75. 75. Don’t  try  to  make  obscure  things 72 GOOGLE MAPS Friday, June 28, 13
  76. 76. • ObfuscaPon  is  not  the  soluPon • There  is  someone  in  the  matrix  who  will  send  you   evil  data • Be  evil  !   • Protect  area  with  filter  is  the  best  soluPon 36 Friday, June 28, 13
  77. 77. Controls • Controls  need  : –to  be  simple –to  be  used  correctly –funcPonal –present  in  every  part  of  the  applicaPon 74 Bad understanding of a control result of unused it by developers and application will be vulnerable. Friday, June 28, 13
  78. 78. Minimals  controls  to  have • You  must  have  at  least  this  components  in   your  applicaPon  :   –AuthenPcaPon –AuthorizaPon –Logging  and  audit –Secure  Storage –Secure  transport –Secure  input  and  output  manipulaPon  of  data 75 Friday, June 28, 13
  79. 79. Authen3ca3on 39 Friday, June 28, 13
  80. 80. Implement  good  passwd  strategy • Password  length -­‐ Categorize  applicaPons  :   • Important  :  at  least  6  characters • Cri0cal  :  at  least  8  characters  and  perhaps  mul0-­‐factors   authen0ca0on • High  Cri0cal  :  at  least  14  characters  and  mul0-­‐factors   authen0ca0on • Password  strength -­‐ Implement  passwd  complexity  with  previous  categories • at  least  :  1  upper,  1  lower,  1  digit,  1  special • don’t  allow  dic0onnary  passwd • don’t  allow  con0nuous  characters 40 Friday, June 28, 13
  81. 81. Implement  good  passwd  strategy •Let  the  user  choose  it •Force  the  user  to  change  it  regulary,  and  add  no   reuse  capability. •Don’t  allow  too  much  “I  forgot  my  passwd” •Don’t  allow  change  of  passwd  without  user   approval;  require  actual  passwd  from  the  user  and   more  for  high  cri0cal. •Add  sleep  strategy  ! •Add  detec3on  of  misuse  strategy  ! •Don’t  store  passwd  in  clear  !!!!!  use  hash  ! 41 Friday, June 28, 13
  82. 82. MulP-­‐Factor  authenPcaPon •Passwds  are  bad •Passwds  are  guessable •MulP-­‐factor  combine:   –something  you  have  (token,  mobile,  ...) –something  you  know  (details  about  you,  passwd,  ...) –somePme,  something  you  are  (biometrics) –Use  it  for  high  criPcal  applicaPons. 42 Friday, June 28, 13
  83. 83. Implement  good  global  strategy • Ask  second  authenPcaPon  for  criPcal   transacPons  (with  mulP-­‐factor  auth...) • Force  authenPcaPon  to  be  in  TLS/SSL • Regenerate  Session  ID  aQer  authenPcaPon • Force  Session  ID  to  be  “secure” • LimiPng  forgoEen  passwd,change  of  login/ passwd     43 Friday, June 28, 13
  84. 84. How  to  do  ?   • Authen0cate  all  pages  but  not  public  pages  (login,   logout,  help,  ....) • Don’t  allow  more  than  one  authen0ca0on   mecanism • Authen3cate  on  the  SERVER • Simply  send  back  “user  or  passwd  mismatch”  and     nothing  else  aker  a  failed  authen0ca0on. • Logged  all  failed  and  all  correct  authen0ca0on • Aker  each  authen0ca0on  give  the  user  the  last   status  of  his  authen0ca0on.   44 Friday, June 28, 13
  85. 85. • Good  Regex  for  a  passwd  complexity  :   • Good  Storage  of    password  with  SALT 45 (?=^.{8,30}$)(?=.*d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]).*$ import java.security.MessageDigest; public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8")); } Friday, June 28, 13
  86. 86. Session  Management 46 Friday, June 28, 13
  87. 87. Session   • Use  Default  Java  Framework  Generator • Use  other  name  than  the  default  name  of  the   Framework  (rename  JSESSIONID...) • Force  transport  of  ID  authenPcaPon  on  SSL/TLS. • Don’t  allow  Session  ID  in  URL  ! • If  using  cookie  :   – Secure  Cookie – HTTPOnly  Cookie   – LimiPng  path  +  domain – Max  Age  and  expiraPon 47 Friday, June 28, 13
  88. 88. Session  tricky • AutomaPc  expiraPon –categorize  applicaPons  : • default  :  1  hour • cri0cal  (some  transac0on)  :  20mns • high  cri0cal  (financials  or  account  impact)  :  5mns   • Renew  Session  ID  aQer  any  privilege  change • Don’t  allow  simultaneous  logon   • Add  Session  AEack  DetecPon • add  in-­‐session  0ps  :  ip  of  session,  other  random  number,  ... 48 Friday, June 28, 13
  89. 89. Browser  defenses • Bind  JavaScript  events  to  close  session   –on  window.close() –on  window.stop() –on  window.blur() –on  window.home() • Use  Javascripts  Pmer  to  automaPc  close  session   in  high  criPcal  applicaPons • Disable  WebBrowser  Cross-­‐tab  Session  if   possible...(bad  user  experiences....) –If  you  use  cookie,  this  is  not  possible    !!!! 49 Friday, June 28, 13
  90. 90. 50 <session-­‐config>    <cookie-­‐config>        <http-­‐only>true</http-­‐only>        <secure>true</secure>    </cookie-­‐config> </session-­‐config> Using  Servlet  3.0  ? Friday, June 28, 13
  91. 91.  Access  Controls 107 Friday, June 28, 13
  92. 92. Remember Friday, June 28, 13
  93. 93. Remember (1)Without  access  control,  you  can’t  control   the  user  in  your  applica,on Friday, June 28, 13
  94. 94. Remember (1)Without  access  control,  you  can’t  control   the  user  in  your  applica,on (2)All  client  inputs  are  EVIL Friday, June 28, 13
  95. 95. Authen0ca0on  &  Authoriza0on • Two  Levels  of  authenPcaPon  and  authorizaPon   are  needed –In  the  ApplicaPon –In  infrastructure Table  A Table  B Connexion Table A + duty A Role  A Role  B SGBDApp Server Connexion Table B + Duty B Friday, June 28, 13
  96. 96. AuthorizaPon • Have  in  mind  the  rule  :   –Nothing    by  default • Centralize  all  authorizaPon  code  on  the  SERVER • If  client  state  are  mandatory,  use  encrypPon  and   integrity  checking  on  the  server  side  to  catch   state  tampering.   • Limit  number  of  transacPons  per  user  at  a  interval   Pme. 54 Friday, June 28, 13
  97. 97. AuthorizaPon • Enforce  : – protec0on  of  URL  to  authorized  account  only – protec0on  of  func0on  to  authorized  account  only – protec0on  of  file  access  to  authorized  account  only • Applica0on  need  to  terminate  session  when  authoriza0on   failed. • Split  administra0ve  and  user  authoriza0on • Enforce  dormant  account  : – loss  privileges. – “disable  account” – alerts 55 Friday, June 28, 13
  98. 98. Valida3on  of  Data 56 Friday, June 28, 13
  99. 99. Input  ValidaPon • Ensure  all  data  validaPon  are  done  on  THE  SERVER. –If  you  do  something  on  client  side  we  can  said  you  do   “painPng” • Classify  your  data  : –Trusted  Data   –Untrusted  Data • Conduct  trusted  path. • Centralize  your  data  validaPon • Use  correct  parametrize  query  when  exists  (SQL) 57 Friday, June 28, 13
  100. 100. Border  validaPon • Consider  validaPng  data  along  all  the  entry  points   of  your  ApplicaPon  border 58 Friday, June 28, 13
  101. 101. Input  ValidaPon • Use  proper  characters  set  for  all  input • Encode  all  data  to  the  same  character  set  before   doing  anything  <=>Canonicalize • Reject  all  not  validated  datas • Validate  data    : –expected  type  (convert  as  soon  as  possible  to  Java  Types) –expected  range –expected  length –expected  values –expected  “white  list”  if  possible 59 Friday, June 28, 13
  102. 102. Input  ValidaPon • Be  careful  of  using  “hazardous”  characters  (ex:  <>’,”! (+)&  %.) • Add  specific  validaPon  : –check  for  null  bytes  (%00) –check  for  new  lines  (%0D,  %0A,  n,  r,  ...) –check  for  dot-­‐dot-­‐slashes  (../)   60 Friday, June 28, 13
  103. 103. Be  careful  of  encoding  for  specific   valida0on... URL %3c%73%63%72%69%70%74%3e%61%6c %65%72%74%28%58%53%53%29%3b%3c%2f%73%63%72%69%70%74%3e %0a HTML <script>ale&#x7 2;t(XSS);</sc&#x 72;ipt> UTF-8 %u003c%uff53%uff43%uff52%uff49%uff50%uff54%u003e%uff41%uff4c %uff45%uff52%uff54%uff08%uff38%uff33%uff33%uff09%u003c %u2215%uff53%uff43%uff52%uff49%uff50%uff54%u003 One space ? < s c r i p t > a l e r t ( X S S ) ; < / s c r i p t > <script>alert(XSS);</script> Friday, June 28, 13
  104. 104. Validate  Datas 124 Friday, June 28, 13
  105. 105. SQL  =>  bad 125 Friday, June 28, 13
  106. 106. SQL  =>  bad 125 Friday, June 28, 13
  107. 107. SQL  =>  bad 125 Friday, June 28, 13
  108. 108. SQL  =>  a  liEle  bit  beEer 126 Friday, June 28, 13
  109. 109. List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 Friday, June 28, 13
  110. 110. List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 Friday, June 28, 13
  111. 111. List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 /*  positional  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  ?1"); List  results  =  jpqlQuery.setParameter(1,  "123-­‐ADB-­‐567-­‐QTWYTFDL").getResultList(); Friday, June 28, 13
  112. 112. List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 /*  positional  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  ?1"); List  results  =  jpqlQuery.setParameter(1,  "123-­‐ADB-­‐567-­‐QTWYTFDL").getResultList(); /*  named  query  in  JPQL  -­‐  Query  named  "myCart"  being  "Select  c  from  Cart  c  where  c.itemId  =  :itemId"  */ Query  jpqlQuery  =  entityManager.createNamedQuery("myCart"); List  results  =  jpqlQuery.setParameter("itemId",  "item-­‐id-­‐0001").getResultList(); Friday, June 28, 13
  113. 113. List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 /*  positional  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  ?1"); List  results  =  jpqlQuery.setParameter(1,  "123-­‐ADB-­‐567-­‐QTWYTFDL").getResultList(); /*  named  query  in  JPQL  -­‐  Query  named  "myCart"  being  "Select  c  from  Cart  c  where  c.itemId  =  :itemId"  */ Query  jpqlQuery  =  entityManager.createNamedQuery("myCart"); List  results  =  jpqlQuery.setParameter("itemId",  "item-­‐id-­‐0001").getResultList(); /*  named  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  emp  from  Employees  emp  where  emp.incentive  >  :incentive"); List  results  =  jpqlQuery.setParameter("incentive",  new  Long(10000)).getResultList(); Friday, June 28, 13
  114. 114. List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 /*  positional  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  ?1"); List  results  =  jpqlQuery.setParameter(1,  "123-­‐ADB-­‐567-­‐QTWYTFDL").getResultList(); /*  Native  SQL  */ Query  sqlQuery  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  ?",  Book.class); List  results  =  sqlQuery.setParameter(1,  "Charles  Dickens").getResultList(); /*  named  query  in  JPQL  -­‐  Query  named  "myCart"  being  "Select  c  from  Cart  c  where  c.itemId  =  :itemId"  */ Query  jpqlQuery  =  entityManager.createNamedQuery("myCart"); List  results  =  jpqlQuery.setParameter("itemId",  "item-­‐id-­‐0001").getResultList(); /*  named  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  emp  from  Employees  emp  where  emp.incentive  >  :incentive"); List  results  =  jpqlQuery.setParameter("incentive",  new  Long(10000)).getResultList(); Friday, June 28, 13
  115. 115. XML  =>  bad 127 Friday, June 28, 13
  116. 116. XML  =>  bad 127 Friday, June 28, 13
  117. 117. XML  =>  ValidaPng  via  regexp/white   list 128 Friday, June 28, 13
  118. 118. BeEer,  a  XML  schema <xs:schema  xmlns:xs="hTp://www.w3.org/2001/XMLSchema">   <xs:element  name="item">     <xs:complexType>       <xs:sequence>         <xs:element  name="descrip0on"  type="xs:string"/>         <xs:element  name="price"  type="xs:decimal"/>         <xs:element  name="quan0ty"  type="xs:integer"/>       </xs:sequence>     </xs:complexType>  </xs:element>   </xs:schema>   Friday, June 28, 13
  119. 119. XML  =>  XML  Parser  validaPon Friday, June 28, 13
  120. 120. LDAP  =>  bad 131 Friday, June 28, 13
  121. 121. LDAP  =>  bad 131 Friday, June 28, 13
  122. 122. LDAP  =>  beEer 132 Friday, June 28, 13
  123. 123. Using  OWASP  ESAPI 72 Friday, June 28, 13
  124. 124. Output  Encoding 73 Friday, June 28, 13
  125. 125. Output  encoding • It’s  a  Defense  in  depth  mechanism • Encode  ON  THE  SERVER • Centralize  the  encoder  funcPons • SaniPze  all  data  send  to  the  client   –HTMLEncode  is  a  minimum  but  did  not  work  on  all   cases 74 Friday, June 28, 13
  126. 126. Essai  1  =>  bad 137 Friday, June 28, 13
  127. 127. Essai  1  =>  bad 137 Friday, June 28, 13
  128. 128. Essai  2  =>  it’s  bad,  but  beTer  than   nothing 138 Friday, June 28, 13
  129. 129. Essai  2  =>  it’s  bad,  but  beTer  than   nothing 138 Friday, June 28, 13
  130. 130. A  good  soluPon  with  a  robust   SaniPzer  :) 139 Friday, June 28, 13
  131. 131. Error  Logging 78 Friday, June 28, 13
  132. 132. Error  Handling Your  Applica3on  will  crash  ! • Catch  all  excep0ons  without  excep0on  (remember  the  null  pointer   excep0on  !) – Clean  all  excep0on  code  of  sensi0ve  datas – Don’t  give  user  any  details  about  crash,  just  said  “It’s  a  crash,  try  again  later” • Logs  are  sensi0ve,  you  MUST  PROTECT  THEM • Log  :   – input  valida0on  failures – authen0ca0on  request;  especially  failures – access  control  failures – systems  excep0ons – administra0ve  func0onality – crypto  failures – invalid/expired  session  token  access 79 Friday, June 28, 13
  133. 133. Logging/Errors • Split  your  logs  with  categories,  examples  :   –Access –Error –Debug –Audit • Use  log4j  for  standard  logging 80 Friday, June 28, 13
  134. 134. Log4J  Example 81 import com.sec.dev; // Import log4j classes. import org.apache.log4j.Logger; import org.apache.log4j.BasicConfigurator; public class SecLogger { // Define a static logger variable so that it references the // Logger instance named "MyApp". static Logger logger = Logger.getLogger(MyApp.class); public static void main(String[] args) { // Set up a simple configuration that logs on the console. BasicConfigurator.configure(); logger.setLevel(Level.DEBUG); // optional if log4j.properties file not used // Possible levels: TRACE, DEBUG, INFO, WARN, ERROR, and FATAL logger.info("Entering application."); Bar bar = new Bar(); bar.doIt(); logger.info("Exiting application."); } } Friday, June 28, 13
  135. 135. Bad  handling  of  ExcepPon 144 Friday, June 28, 13
  136. 136. Bad  handling  of  ExcepPon 144 Friday, June 28, 13
  137. 137. Good  Housecleaning 83 try { SensitiveData sensitiveData = new SensitiveData (“4242424242424242”); out = new PrintWriter(new FileWriter("OutFile.txt")); //Do Stuff…. } catch (IOException e) { if ( sensitiveData != null ) { sensitiveData.set(“0000000000000000”); } logger.log ("IO exception ", e.getMessage()); } catch (Exception e) { if ( sensitiveData != null ) { sensitiveData.set(“0000000000000000”); } logger.log ("Error occurred!”, e.getMessage()); } finally { if ( sensitiveData != null ) { sensitiveData.set(“0000000000000000”); } if (out != null) { out.close(); // RELEASE RESOURCES } } Friday, June 28, 13
  138. 138. BeEer  handling  of  excepPon  and   error 145 <error-­‐page>      <excepPon-­‐type>java.lang.Throwable</ excepPon-­‐type>      <locaPon>/error.jsp</locaPon>  </error-­‐page> Friday, June 28, 13
  139. 139. Data  Protec3on 85 Friday, June 28, 13
  140. 140. Data  protecPon • Protect  sensiPve  datas,    don’t  store  them  in  clear. • Store  sensiPve  datas  in  trusted  systems • Don’t  use  GET  request  for  sensiPve  data. • Disable  client  site  caching 86 Friday, June 28, 13
  141. 141. Disable  Client  Side  caching 87 import  javax.servlet.*; import  javax.servlet.http.HttpServletResponse; import  java.io.IOException; import  java.util.Date; public  class  CacheControlFilter  implements  Filter  {        public  void  doFilter(ServletRequest  request,  ServletResponse  response,                                                  FilterChain  chain)  throws  IOException,  ServletException  {                HttpServletResponse  resp  =  (HttpServletResponse)  response;                resp.setHeader("Expires",  "Tue,  03  Jul  2001  06:00:00  GMT");                resp.setHeader("Last-­‐Modified",  new  Date().toString());                resp.setHeader("Cache-­‐Control",  "no-­‐store,  no-­‐cache,  must-­‐revalidate,  max-­‐age=0,  post-­‐check=0,  pre-­‐check=0");                resp.setHeader("Pragma",  "no-­‐cache");                chain.doFilter(request,  response);        } } <filter>        <filter-­‐name>SetCacheControl</filter-­‐name>        <filter-­‐class>com.sec.dev.cacheControlFilter</filter-­‐class> </filter>                                               <filter-­‐mapping>        <filter-­‐name>SetCacheControl</filter-­‐name> <url-­‐pattern>/*</url-­‐pattern> </filter-­‐mapping> web.xml Friday, June 28, 13
  142. 142. Access  to  FileSystem 88 Friday, June 28, 13
  143. 143. Absolute  Path  is  bad 151 Friday, June 28, 13
  144. 144. Absolute  Path  is  bad 151 Friday, June 28, 13
  145. 145. Absolute  Path  is  bad 151 Friday, June 28, 13
  146. 146. Canonicalisa,on  is  good 90 Friday, June 28, 13
  147. 147. Secure  Communica3ons 91 Friday, June 28, 13
  148. 148. Secure  CommunicaPons • Use  TLS/SSL  : –at  least  SSL  v3.0/TLS  1.0 –minimum  of  128bits  encrypPon –use  secure  crypto  :  AES  is  good • Don’t  expose  criPcal  data  in  the  URL • Failed  SSL/TLS  communicaPons  should  not  fall   back  to  insecure • Validate  cerPficate  when  used • Protect  all  page,  not  just  logon  page  ! 92 Friday, June 28, 13
  149. 149. Force  TLS/SSL  Response • Use  HTTP  Strict  Transport  Security  (HSTS). –Available  on  some  browsers  (not  IE) –draQ  IETF  :  hEp://tools.iew.org/html/draQ-­‐iew-­‐websec-­‐ strict-­‐transport-­‐sec-­‐04 93 HttpServletResponse  ...; response.setHeader("Strict-­‐Transport-­‐Security",  "max-­‐age=7776000;   includeSubdomains"); Friday, June 28, 13
  150. 150. ConfiguraPon 94 • Review  all  properPes,  configuraPon  files • Be  careful  of  default  passwords... • Remove,  and  not  just  de-­‐acPvate,  unused   funcPons/modules • Use  sandbox  system  when  available  : Be  careful  of  Java  Signed  code  who   execute  with  more  privileges  ! Friday, June 28, 13
  151. 151. Now  you  can  protect  against  him 95 Friday, June 28, 13
  152. 152.  NEWS A  BLOG A  PODCAST MEMBERSHIPS MAILING  LISTS A  NEWSLETTER APPLE  APP  STORE VIDEO  TUTORIALS TRAINING  SESSIONS SOCIAL  NETWORKING 96 On  est  aussi  des  humains,  et  on  peut  boire  un  coup  tout  simplement Friday, June 28, 13
  153. 153. Dates • AppSec  Research  Europe  2013  :  20/23  Aout  –   Hambourg  –  Allemagne • Octobre  2013  :  OSSIR  PARIS –OWASP  Top10  2013;  quoi  de  neuf  ? •  OWASP  Benelux  :  28/29  Novembre  2013 97 Un  tour  des  JUG  est  prévu  en  France,  si  vous  en  connaissez  un  dans  le  coin... Friday, June 28, 13
  154. 154. Soutenir  l’OWASP • Différentes  soluPons  :   –Membre  Individuel  :  50  $ –Membre  Entreprise  :  5000  $ –DonaPon  Libre • Soutenir  uniquement    le  chapitre  France  : –Single  MeePng  supporter   • Nous  offrir  une  salle  de  mee0ng  !   • Par0ciper  par  un  talk  ou  autre  !   • Dona0on  simple   –Local  Chapter  supporter  :   • 500  $  à  2000  $   98 Friday, June 28, 13
  155. 155. Prochains  meePngs • Septembre  2013   –Salle  :  Mozilla  Center  Paris –Speaker  :   • Security  on  Firefox  OS • A  définir • Novembre  2013 –Salle  :  a  définir –Speaker  :  a  définir Septembre  s’annonce  merveilleux  avec  plein  d’annonces  en  tout  genre.... Friday, June 28, 13
  156. 156. License 100 Si  vous  avez  tout  suivi  vous  connaissez  le  prochain  slide.... @SPoint sebas0en.gioria@owasp.org Friday, June 28, 13

×