Professional Documents
Culture Documents
OWASP Chair
jeff.williams@owasp.org
Copyright © 2006
Copyright
– Aspect
© 2006
Security
- Aspect
– www.aspectsecurity.com
Security
) The Challenge…
2
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
1
) Approach
3
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
) Design
4
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
2
) Architecture Overview
SecurityConfiguration
AccessReferenceMap
EncryptedProperties
Exception Handling
IntrusionDetector
AccessController
Authenticator
HTTPUtilities
Randomizer
Encryptor
Validator
Encoder
Logger
User
5
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
) Benefits of Integration
6
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
3
) Customizing
7
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
8
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
4
) Project Plan and Status
9
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
) Quality
10
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
5
) Handling Authentication and Identity
User Controller Business Data Layer Backend
Functions
ESAPI
Authentication
Intrusion
Detection
Control
Logging
Access
Users
11
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
) Authenticator
Key Methods
) createUser(accountName, pass1, pass2)
) generateStrongPassword()
) getCurrentUser()
) login(request, response)
) verifyAccountNameStrength(acctName)
) verifyPasswordStrength(newPass, oldPass)
12
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
6
) User
Key Methods
) changePassword(old, new1, new2)
) disable() enable()
) getAccountName() getScreenName()
) getCSRFToken()
) getLastFailedLoginTime() getLastLoginTime()
) getRoles() isInRole(role)
) isEnabled() isExpired() isLocked()
) loginWithPassword(password, request, response)
) logout(request, response)
) resetCSRFToken() resetPassword()
) verifyCSRFToken(token)
13
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
Web Service
URL Function Data Service
Check Check Check Check
Controller
Database
Mainframe
User File
Interface Check
File System
14
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
7
) AccessController
Key Methods
) isAuthorizedForData(key)
) isAuthorizedForFile(filepath)
) isAuthorizedForFunction(functionName)
) isAuthorizedForService(serviceName)
) isAuthorizedForURL(url)
15
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
Database
Mainframe
Access
User Reference
Map File System Report123.xls
Indirect Direct
Reference Reference Etc…
http://app?file=7d3J93
16
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
8
) AccessReferenceMap
Key Methods
) getDirectReference(indirectReference)
) getIndirectReference(directReference)
) iterator()
) update(directReferences)
Example
) http://www.ibank.com?file=report123.xls
) http://www.ibank.com?file=a3nr38
17
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
Web Service
Validate EncodeForLDAP
Directory
Database
Etc…
18
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
9
) Validator
Key Methods
) canonicalize(input)
) isValidFileUpload(filepath, filename, content)
) isValidHTTPRequest (request)
) isValidCreditCard(input)
) isValid***** (input)
) isValidRedirectLocation(location)
) isValidSafeHTML(input)
) safeReadLine(inputStream, maxchars)
Canonicalization is really important
Global validation of HTTP requests
19
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
) Encoder
Key Methods
) encodeForBase64(input)
) encodeForDN(input)
) encodeForHTML(input)
) encodeForHTMLAttribute(input)
) …, encodeForJavascript, encodeForLDAP, encodeForSQL,
encodeForURL, encodeForVBScript, encodeForXML,
encodeForXMLAttribute, encodeForXPath
20
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
10
) Enhancing HTTP
Safe File Upload
Verify CSRF Token
Logging
21
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
) HTTPUtilities
Key Methods
) addCSRFToken(href)
) addSafeHeader(header, value, response)
) changeSessionIdentifier(request)
) getFileUploads(request, tempDir, finalDir)
) killCookie(name, request, response)
) sendRedirect(href)
) setCookie(name, value, age, domain, path, response)
) setNoCacheHeaders(response)
22
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
11
) Encryptor
Key Methods
) decrypt(ciphertext)
) encrypt(plaintext)
) hash(plaintext, salt)
) loadCertificateFromFile(file)
) getTimeStamp()
) seal(data, expiration) verifySeal(seal, data)
) sign(data) verifySignature(signature, data)
23
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
) EncryptedProperties
Key Methods
) getProperty(key)
) setProperty(key, value)
) keySet()
) load(inputStream)
) store(outputStream, comments)
24
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
12
) Randomizer
Key Methods
) getRandomInteger(min, max)
) getRandomReal(min, max)
) getRandomString(length, characterSet)
25
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
) Exception Handling
EnterpriseSecurityException
) AccessControlException
) AuthenticationException
) AvailabilityException
) CertificateException
) EncodingException
) EncryptionException
) ExecutorException
) IntrusionException
) ValidationException
Allows a sensible security exception framework
26
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
13
) Logger
Key Methods
) getLogger(applicationName,moduleName)
) formatHttpRequestForLog(request, sensitiveList)
) logCritical(type, message, throwable)
) logDebug(type, message, throwable)
) logError(type, message, throwable)
) logSuccess(type, message, throwable)
) logTrace(type, message, throwable)
) logWarning(type, message, throwable)
27
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
) Detecting Intrusions
ESAPI
IntrusionDetector
Tailorable
Quotas
28
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
14
) IntrusionDetector
Key Methods
) addException(exception)
) addEvent(event)
Model
) EnterpriseSecurityExceptions automatically added
) Specify a threshold for each event type
org.owasp.esapi.ValidationException.count=3
org.owasp.esapi.ValidationException.interval=3 (seconds)
org.owasp.esapi.ValidationException.action=logout
(alternatives are log message, disable account)
29
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
) SecurityConfiguration
Customizable…
) Crypto algorithms
) Encoding algorithms
) Character sets
) Global validation rules
) Logging preferences
) Intrusion detection thresholds and actions
) Etc…
30
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
15
) OWASP Top Ten Coverage
31
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
) Closing Thoughts
Secondary benefits
) May help static analysis do better
) Enables security upgrades across applications
) Simplifies developer training
32
Copyright © 2006 – Aspect Security – www.aspectsecurity.com
16