{"id":97,"date":"2008-09-24T15:42:30","date_gmt":"2008-09-24T20:42:30","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=97"},"modified":"2008-09-24T16:01:29","modified_gmt":"2008-09-24T21:01:29","slug":"enterprise-security-api-owasp-appsec-nyc-2008","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2008\/09\/24\/enterprise-security-api-owasp-appsec-nyc-2008\/","title":{"rendered":"Enterprise Security API &#8211; OWASP AppSec NYC 2008"},"content":{"rendered":"<p>This presentation was by Jeff Williams, OWASP Chair, on the Enterprise Security API.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Vulnerabilities and Security Controls<\/strong><\/span><\/p>\n<ul>\n<li>Missing &#8211; 35%<\/li>\n<li>Broken &#8211; 30%<\/li>\n<li>Ignored &#8211; 20%<\/li>\n<li>Misused &#8211; 15%<\/li>\n<\/ul>\n<p>Goal is to enable developers.\u00a0 Need to give them hands-on training, a secure coding guideline, and an Enterprise Security API.<\/p>\n<p>The problem with Security Libraries: overpowerful, incomplete, not integrated, broken, can&#8217;t update, custom.<\/p>\n<p>Enterprise Security API (ESAPI) includes authentication, user, AccessController, AccessReferenceMap, Validator, ENcoder, HTTPUtilities, Encryptor, EncryptedProperties, Randomizer, Exception Handling, Logger, IntrusionDetection, and SecurityConfiguration.\u00a0 Built on top of your existing enterprise services or libraries.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Some Examples<\/strong><\/span><\/p>\n<ol>\n<li>Input Validation &#8211; validation engine and decoding engine that will take input and provide safe output for web pages<\/li>\n<li>Output Encoding &#8211; need to use the right encoding for the right place you are putting the encoding<\/li>\n<li>Authentication &#8211; creates a user object and functions to login() or logout().\u00a0 Provides additional functionality for encrypted cookies, changing SESSIONID, remember me cookies, etc.<\/li>\n<li>Access Control &#8211; provides functionality to check if a user is authorized for URLs, functions, data, services, or files.<\/li>\n<li>Direct Object Reference Protection &#8211; use an access reference map that does an indirect translation between an object and it&#8217;s reference.\u00a0 Use getDirectReference() and getIndirectReference() functions.<\/li>\n<li>Error, Logging, and Detection &#8211; Configurable thresholds.\u00a0 Responses are log intrusion, logout user, and disable account.\u00a0 User object is available anywhere in the application so the logger links the messages logged to a user.\u00a0 Exceptions sent to an intrusion detector which has thresholds set.<\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\"><strong>OWASP ESAPI Covers Majority of OWASP Top Ten<\/strong><\/span><\/p>\n<ul>\n<li>A1. XSS &#8211; Validator, Encoder<\/li>\n<li>A2. Injection Flaws &#8211; Encoder<\/li>\n<li>A3. Malicious File Execution &#8211; HTTPUtilities (Safe Upload)<\/li>\n<li>A4. Insecure Direct Object Reference &#8211; AccessReferenceMap, AccessController<\/li>\n<li>A5. CSRF &#8211; User (CSRF TOken)<\/li>\n<li>A6. Leakage and Improper Error Handling &#8211; EnterpriseSecurityException, HTTPUtils<\/li>\n<li>A7. Broken Authenticationa nd Sessions &#8211; Authenticator, User, HTTPUtils<\/li>\n<li>A8. Insecure Cryptographic Storage &#8211; Encryptor<\/li>\n<li>A9. Insecure Communications &#8211; HTTPUtilities (Secure Cookie, Channel)<\/li>\n<li>A10. Failure to Restrict URL Access &#8211; AccessController<\/li>\n<\/ul>\n<p>MITRE found that all application security tool vendors&#8217; claims put together cover only 45% of the known vulnerability types (695).\u00a0 They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true).\u00a0 This means that at least 55% is not covered by tools.<\/p>\n<p>Latest version released in September 2008 (1.3.1) and are holding a summit later this year to determine if they got everything right.\u00a0 In active development.\u00a0 Java, .NET, PHP, classic ASP.\u00a0 Rich client extensions.\u00a0 Web service extensions.\u00a0 Framework (Struts) integration.<\/p>\n<p>Written under the BSD license so it should be very easy for you to use it in your applciations.<\/p>\n<p>Project Home Page: http:\/\/www.owasp.org\/index.php\/ESAPI<\/p>\n<p>Expert advisory\/design\/implementation team that has collectively reviewed over 100 million lines of code.\u00a0 ~600 JUnit test cases.\u00a0 FindBugs, PMD, Ounce, and Fortify clean.\u00a0 Code review by several Java security experts.\u00a0 Penetration test of sample applications.\u00a0 Full Javadoc for all functions.<\/p>\n<p>Presentation will be posted on homepage.\u00a0 Includes a list of banned API&#8217;s that ESAPI replaces.\u00a0 Has example of enterprise cost savings.\u00a0 All of ESAPI is only 5000 lines of code.\u00a0 Building a ESAPI swingset which has a demo of insecure (what can go wrong) and secure (using ESAPI) programming and good tutorial on how to use.\u00a0 Login module shows last successful login, last failed login, number of failed logins, enforces a strong password policy.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This presentation was by Jeff Williams, OWASP Chair, on the Enterprise Security API. Vulnerabilities and Security Controls Missing &#8211; 35% Broken &#8211; 30% Ignored &#8211; 20% Misused &#8211; 15% Goal is to enable developers.\u00a0 Need to give them hands-on training, a secure coding guideline, and an Enterprise Security API. The problem with Security Libraries: overpowerful, [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[127,4],"tags":[150,76,128,91,154,151,97,153,152,12,90,622],"class_list":["post-97","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-nyc-2008","category-web-app-sec","tag-api","tag-application","tag-appsec","tag-code","tag-coding","tag-enterprise","tag-java","tag-lib","tag-library","tag-owasp","tag-secure","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-1z","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/97","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=97"}],"version-history":[{"count":3,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/97\/revisions"}],"predecessor-version":[{"id":104,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/97\/revisions\/104"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=97"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=97"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=97"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}