This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Summit 2011/OWASP Secure Coding Workshop"

From OWASP
Jump to: navigation, search
Line 16: Line 16:
 
|-
 
|-
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Short Work Session Description'''  
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Short Work Session Description'''  
| align="left" colspan="6" style="width: 85%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" |  <br>
+
| align="left" colspan="6" style="width: 85%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" |  This will be a "NO FLUFF" track where we pull out ourlaptops (not for email/IM), and show people how to develop securecode. Chris Schmidt referred to this here: http://yet-another-dev.blogspot.com/2010/11/cross-pollination-its-not-just-for-bees.html  The Global Summit in Portugal will be a prototype for this new type of "track" and hopefully we can continue it in Minnesota for AppSec USA 2011. Pravir led something like this with SAMM (but regarding process) in Portugal the first time around and it was incredibly valuable.
 +
<br>
 +
I'd like to propose the following skeleton and get passionate developers to sign up for it. I'm imagining 1/2 day sessions. (So, over four days, we could have eight (8) facilitators). I suggest we pick a single target (Java EE?), a single victim app, and a single container as a 'base of operations' for the first one to keep things simple.
 +
<br>
 
|-
 
|-
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Related Projects (if any)'''  
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Related Projects (if any)'''  
Line 32: Line 35:
 
|-
 
|-
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Objectives'''  
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Objectives'''  
| align="left" colspan="6" style="width: 85%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <font color="black"></font><font color="black"></font><font color="black"> </font>  
+
| align="left" colspan="6" style="width: 85%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <font color="black"></font><font color="black"></font><font color="black"> Track Mission: Building Security In: Using OWASP tools/techniques/code to build secure applications. (The list below is not in any particular order. In fact, that may be something to talk about. I've tried to provide four (4) one-hour seeds for each session, subject again to discussion)<br>
 +
</font>  
  
 
|-
 
|-
Line 48: Line 52:
 
|}
 
|}
  
{| border="0" align="center" style="width: 100%;"
+
<br>
|-
 
! align="center" colspan="7" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font color="white">'''WORKING SESSION OPERATIONAL RESOURCES'''</font>
 
|-
 
| align="center" style="width: 100%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" |
 
|}
 
 
 
{| border="0" align="center" style="width: 100%;"
 
|-
 
! align="center" colspan="7" style="background: none repeat scroll 0% 0% white; color: white;" | <font color="black"></font> <br>
 
|}
 
  
 
{| border="0" align="center" style="width: 100%;"
 
{| border="0" align="center" style="width: 100%;"
 
|-
 
|-
! align="center" colspan="7" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font color="white">'''WORKING SESSION ADDITIONAL DETAILS'''</font>
+
! align="center" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" colspan="7" | <font color="white">'''WORKING SESSION ADDITIONAL DETAILS'''</font>
 
|-
 
|-
 
| align="left" style="width: 100%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" |  
 
| align="left" style="width: 100%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" |  
 +
'''1. Applying ESAPI Input Validation'''
 +
*Serial Decomp: Decode, canonicalize, filter<br>
 +
*Structured data (SSN, CC, etc.) <br>
 +
*Unstructured data (comments, blogs, etc.) <br>
 +
*Other input exaples (ws-, database, etc.) <br>
 +
'''2. Defining AppSensor Sensors for:'''<br>
 +
*Forced Browsing <br>
 +
*Request Velocity<br>
 +
*Unexpected encodings<br>
 +
*Impersonation (Sudden user switch) <br>
 +
'''3. Managing Sessions'''<br>
 +
*Across requests<br>
 +
*Across containers<br>
 +
*Invalidating sessions (Timeout, attack event, logout)<br>
 +
*Invalidating sessions (across containers, SSO token invalidation, user termination)<br>
 +
'''4. Protecting Information Stored Client-Side'''<br>
 +
*Threat Modeling the problem <br>
 +
*Protecting theft and re-playability of application-specific info (on client & in flight)<br>
 +
*Protecting theft and re-playability of session-specific info (in flight)<br>
 +
*Protecting session-specific information from attack on the client <br>
 +
'''5. Protecting against CSRF'''<br>
 +
*Hygiene: Discuss/show frames-busting, cross-domain policy; Discuss referrer and other red herrings <br>
 +
*Tokens (crafting, scoping, and checking)<br>
 +
*Discussions, techniques on scale<br>
 +
*Discussions, techniquest on CAPTCHA, re-auth, etc. <br>
 +
'''6. Providing Access to Persisted Data'''<br>
 +
*Controlling visibility of tables by role<br>
 +
*Providing access to safe SQL-like query through DAO layer<br>
 +
*Discussions, techniques for providing secure'auto-wiring' / marshaling<br>
 +
*Encoding and canonicalization for storage (or alternatively: Security concerns with heirarchical caching and object pooling) <br>
 +
 +
'''7. and 8. TBD'''
 
|}
 
|}
  
 +
<br>
 
{| border="0" align="center" style="width: 100%;"
 
{| border="0" align="center" style="width: 100%;"
 
|-
 
|-
Line 83: Line 110:
 
| align="center" style="width: 47%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | After the Board Meeting - fill in here.
 
| align="center" style="width: 47%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | After the Board Meeting - fill in here.
 
|}
 
|}
 +
  
 
== Working Session Participants  ==
 
== Working Session Participants  ==
  
{{:Template:Summit 2011 Working Sessions Attendee/Columns}}
+
(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)
{{:Summit_2011_Attendee/Attendee110 | Summit 2011 Working Sessions Attendee/Rows_Browser_Security}}
+
 
{{:Summit_2011_Attendee/Attendee110 | Summit 2011 Working Sessions Attendee/Rows_Browser_Security}}
+
 
 +
{| border="0" align="center" style="width: 100%;"
 +
|-
 +
! align="center" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" colspan="7" | <font color="white">'''WORKING SESSION PARTICIPANTS'''</font>
 +
|-
 +
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''Name'''
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''Company'''
 +
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''Notes &amp; reason for participating, issues to be discussed/addressed'''
 +
|-
 +
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
|-
 +
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
|-
 +
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
|-
 +
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
|-
 +
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
|-
 +
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
|-
 +
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
|-
 +
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
|-
 +
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
|-
 +
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
|-
 +
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
|-
 +
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
|-
 +
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
|-
 +
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
|-
 +
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 +
|}
  
 +
If needed add here more lines.
 
|}
 
|}
 
<br>
 
<br>

Revision as of 01:59, 14 December 2010

Global Summit 2011 Home Page
Global Summit 2011 Schedule
Global Summit 2011 Working Sessions

Working Sessions Operational Rules - Please see here the general frame of rules.
WORKING SESSION IDENTIFICATION
Work Session Name No Fluff, Just Stuff
Short Work Session Description This will be a "NO FLUFF" track where we pull out ourlaptops (not for email/IM), and show people how to develop securecode. Chris Schmidt referred to this here: http://yet-another-dev.blogspot.com/2010/11/cross-pollination-its-not-just-for-bees.html The Global Summit in Portugal will be a prototype for this new type of "track" and hopefully we can continue it in Minnesota for AppSec USA 2011. Pravir led something like this with SAMM (but regarding process) in Portugal the first time around and it was incredibly valuable.


I'd like to propose the following skeleton and get passionate developers to sign up for it. I'm imagining 1/2 day sessions. (So, over four days, we could have eight (8) facilitators). I suggest we pick a single target (Java EE?), a single victim app, and a single container as a 'base of operations' for the first one to keep things simple.

Related Projects (if any)
Email Contacts & Roles Chair
John Steven 		Secretary
 Mailing list
Subscription Page
WORKING SESSION SPECIFICS
Objectives Track Mission: Building Security In: Using OWASP tools/techniques/code to build secure applications. (The list below is not in any particular order. In fact, that may be something to talk about. I've tried to provide four (4) one-hour seeds for each session, subject again to discussion)

Venue/Date&Time/Model Venue
OWASP Global Summit Portugal 2011

Date&Time

Discussion Model


WORKING SESSION ADDITIONAL DETAILS

1. Applying ESAPI Input Validation

  • Serial Decomp: Decode, canonicalize, filter
  • Structured data (SSN, CC, etc.)
  • Unstructured data (comments, blogs, etc.)
  • Other input exaples (ws-, database, etc.)

2. Defining AppSensor Sensors for:

  • Forced Browsing
  • Request Velocity
  • Unexpected encodings
  • Impersonation (Sudden user switch)

3. Managing Sessions

  • Across requests
  • Across containers
  • Invalidating sessions (Timeout, attack event, logout)
  • Invalidating sessions (across containers, SSO token invalidation, user termination)

4. Protecting Information Stored Client-Side

  • Threat Modeling the problem
  • Protecting theft and re-playability of application-specific info (on client & in flight)
  • Protecting theft and re-playability of session-specific info (in flight)
  • Protecting session-specific information from attack on the client

5. Protecting against CSRF

  • Hygiene: Discuss/show frames-busting, cross-domain policy; Discuss referrer and other red herrings
  • Tokens (crafting, scoping, and checking)
  • Discussions, techniques on scale
  • Discussions, techniquest on CAPTCHA, re-auth, etc.

6. Providing Access to Persisted Data

  • Controlling visibility of tables by role
  • Providing access to safe SQL-like query through DAO layer
  • Discussions, techniques for providing secure'auto-wiring' / marshaling
  • Encoding and canonicalization for storage (or alternatively: Security concerns with heirarchical caching and object pooling)

7. and 8. TBD


WORKING SESSION OUTCOMES
Statements, Initiatives or Decisions Proposed by Working Group Approved by OWASP Board

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.


Working Session Participants

(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)


WORKING SESSION PARTICIPANTS

Name Company Notes & reason for participating, issues to be discussed/addressed




























































If needed add here more lines. |}

Retrieved from "https://wiki.owasp.org/index.php?title=Summit_2011/OWASP_Secure_Coding_Workshop&oldid=96212"