Sf startup-security
1 like8,101 views
The document discusses securing applications by focusing on important security risks and topics. It recommends starting with the OWASP Top 10 list and understanding issues like SQL injection, cross-site scripting, insecure password storage, and insecure session management. The document provides guidance on implementing security best practices for these topics, such as using parameterized queries, output encoding, and HTTP Strict Transport Security. It stresses the importance of building a security culture within an organization.
![<div class="featured">
<form action="/en-US/firefox/
users/login" method="post"
id="login" class="featured-inner
object-lead">
<div>
<input type="hidden"
name="data[Login][referer]"
XSS Example
Name:_____
submit
Login: ___
Pass: ____
submit to evil site
javascript
javascript
<install malware>
(1) Attacker submits malicious code
(2) Code is now part of webpage
(3) Malicious site steals
passwords & installs malware
(4) Attacker spreads malicious URL
http://site.com/%3cscript%3edocument%2e
Thursday, May 30, 13](https://image.slidesharecdn.com/sf-startup-security-130530154315-phpapp01/85/Sf-startup-security-14-320.jpg)
Sf startup-security
- 2. You are a target The attackers are talented and motivated Thursday, May 30, 13
- 3. Data Loss: Growing Problem http://datalossdb.org/statistics Thursday, May 30, 13
- 4. Data Loss & Breaches from Hacking http://datalossdb.org/statistics2013Verizon DBR Thursday, May 30, 13
- 5. Data Loss: Outside Attackers http://datalossdb.org/statistics2013Verizon DBR Thursday, May 30, 13
- 6. Security The Basics • Understand the problem space & challenges • SSL isn’t as easy “https” • You can’t store passwords with just hashing • SQL Injection & Cross Site Scripting should be understood by all developers Thursday, May 30, 13
- 7. Where To Start? • Focus on Risk - not vulnerability “flavor of the day” • Reference top risks and customize • OWASP Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10 1. Injection 2. Broken Authentication & Session Management 3. Cross Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards Thursday, May 30, 13
- 8. Password Storage Thursday, May 30, 13
- 9. Password Storage Options • Plain text / Home grown obfuscation • md5 • sha2 (256 / 512) • sha2 with generic salt • sha2 with per user salt • Bcrypt or PBKDF2 https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet Weakest Strongest Currently Considered Acceptable Thursday, May 30, 13
- 10. SQL Injection Thursday, May 30, 13
- 11. SQL Injection Worries • Issue • SQL statements don’t properly handle user supplied data • Users change intent of SQL executed by DB • Risk • Data Compromise • Corruption of Data Thursday, May 30, 13
- 12. Into the Details • Intent Select * from users where lastname = ‘+ someVar +’; • Attacker enters: x’ or 1=1-- • Result Select * from users where lastname = ‘+ x’ or 1=1-- +’; • Solution Parameterized Queries Thursday, May 30, 13
- 13. Cross Site Scripting Thursday, May 30, 13
- 14. <div class="featured"> <form action="/en-US/firefox/ users/login" method="post" id="login" class="featured-inner object-lead"> <div> <input type="hidden" name="data[Login][referer]" XSS Example Name:_____ submit Login: ___ Pass: ____ submit to evil site javascript javascript <install malware> (1) Attacker submits malicious code (2) Code is now part of webpage (3) Malicious site steals passwords & installs malware (4) Attacker spreads malicious URL http://site.com/%3cscript%3edocument%2e Thursday, May 30, 13
- 15. Tackling Cross Site Scripting • In Code • Output encoding • Context is important - see OWASP XSS Cheat Sheet • Working with browsers to eliminate XSS • Content Security Policy https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet https://developer.mozilla.org/en-US/docs/Security/CSP Thursday, May 30, 13
- 16. SSL Thursday, May 30, 13
- 17. Insecure Session Management • Secure login over HTTPS • Password submitted encrypted • Immediate redirect to HTTP • Session ID sent cleartext <-- vulnerability point Request' SessionID:'5593…' Response' SSL# Request' Response' Set'SessionID:'5593…' https://site.com/login http://site.com/profile Thursday, May 30, 13
- 18. Insecure Redirects • User requests HTTP page, response redirects HTTPS • 302 Response is HTTP <-- Vulnerability Point SSL# Get$http://mybank.com$ 302$Redirect$ Location:$https://mybank.com$ Get$https://mybank.com$ 200$Found$ mybank.com Thursday, May 30, 13
- 19. Secure Design for Communication • HTTP Strict Transport Security (HSTS) • Opt-in security control • Website instructs compatible browser to enable STS for site • HSTS Forces (for enabled site): • All communication over HTTPS • No insecure HTTP requests sent from browser • No option for user to override untrusted certificates Thursday, May 30, 13
- 20. Strict Transport Security • Browser prevents HTTP requests to HSTS site • Any request to site is “upgraded” to HTTPS • No clear text HTTP traffic ever sent to HSTS site • Browser assumes HTTPS for HSTS sites SSL# Get$$ http://mybank.com$ Get$https://mybank.com$ 200$Found$ HSTS# Thursday, May 30, 13
- 21. Building a Security Culture Thursday, May 30, 13
- 22. Security Culture • Set guidelines that are usable • Ensure security is a priority, not a “tax” • Security can live in all stages: • Planning, Dev, QA, Deployment, Monitoring https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines Thursday, May 30, 13
- 23. Tools to Assist • Free • OWASP ZAP Proxy - owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project • Security Cheat Sheets - owasp.org/index.php/Cheat_Sheets • Learning Lab OWASP Webgoat - owasp.org/index.php/Category:OWASP_WebGoat_Project • Extensive OWASP guidelines - owasp.org • Professional Tools • Static / Dynamic Analysis • Security Architecture Reviews • Ongoing or point-in-time penetration tests Thursday, May 30, 13
- 24. Take Aways • Security is a concern for your business • Tackle security fundamentals • Build a culture of security & leverage available resources Thursday, May 30, 13