Upload
sebastien-gioria
View
523
Download
0
Embed Size (px)
DESCRIPTION
Présentation pour l'AFUP de l'OWASP et de projets concrets pour sécuriser une application PHP
Citation preview
AFUP/MOZILLA/OWASP Mee/ng @Mozilla Paris
5th June 2014Sébas&en Gioria Sebas/[email protected] Chapter Leader & Evangelist OWASP France
OWASP, the Life,the Universe
and the ElePHPhants
2
http://www.google.fr/#q=sebastien gioria
‣OWASP France Leader & Founder & Evangelist
‣Innovation and Technology @Advens && Application Security Expert
Twitter :@SPoint/@OWASP_France
2
‣Application Security group leader for the CLUSIF
‣Proud father of youngs kids trying to hack my digital life.
Agenda
• Applica/on Security : – where we are (no bullshit) – where we are (hopefully) going ?
• Open Web Applica/on Security Project ? • Major projects you can use
4
Why Applica/on Security ?
54
Why Applica/on Security ?
54
Your Application has been Hacked
Why Applica/on Security ?
54
Your Application has been Hacked
YES
Why Applica/on Security ?
54
Your Application has been Hacked
NO
YES
Why Applica/on Security ?
54
Your Application
will be Hacked ;)
Your Application has been Hacked
NO
YES
Why Applica/on Security ?
54
Your Application
will be Hacked ;)
Your Application has been Hacked
YES
NO
YES
Why Applica/on Security ?
54
Your Application
will be Hacked ;)
Your Application has been Hacked
YES
NO
NO
YES
Why Applica/on Security ?
5
!Let Me take you on the right way 4
Your Application
will be Hacked ;)
Your Application has been Hacked
YES
NO
NO
YES
Why Applica/on Security ?
5
My Application will be hacked !
!Let Me take you on the right way 4
Your Application
will be Hacked ;)
Your Application has been Hacked
YES
NO
NO
YES
Why Applica/on Security ?
5
My Application will be hacked !
!Let Me take you on the right way 4
Your Application
will be Hacked ;)
Your Application has been Hacked
YES
NO
NO
YES
Next Step
First form in PHP
6
First form in PHP
6
First form in PHP
6
<?php $email = $_REQUEST['email'] ; $message = $_REQUEST['message'] ; ! mail( "[email protected]", "Feedback Form Results", $message, "From: $email" ); header( "Loca/on: hgp://www.example.com/thankyou.html" ); ?>
7
7
7
How to create a login page in PHP and Mysql
8
9
9
<?php !define('DB_HOST', 'localhost'); !define('DB_NAME', 'practice');!define('DB_USER','root'); !define('DB_PASSWORD','');!!$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error()); !$db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error()); !/* $ID = $_POST['user']; $Password = $_POST['pass']; */!!function SignIn() {!! session_start(); //starting the session for user profile page!! if(!empty($_POST['user'])) //checking the 'user' name which is from Sign-In.html, is it empty or have some text !! { !! $query = mysql_query("SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysql_error());!! $row = mysql_fetch_array($query) or die(mysql_error());!! !! ! if(!empty($row['userName']) AND !empty($row['pass'])) !! ! {!! ! $_SESSION['userName'] = $row['pass']; !! ! ! echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";! ! ! } else { ! ! ! echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";! ! ! } ! ! } ! } !!if(isset($_POST['submit'])) !{! SignIn(); !} ?>!
10
10
10
Game Over....
• Did you have VoIP Phone ? !
• Did you have IP Router / Broadband box ? !
• Did you have smartphone ? !
• Did you have customers / partners over Internet ?
11
Anything else ?
12
We are living in a Digital environment, in a Connected World
v Most of websites vulnerable to agacks v Important % of web-‐based Business (Services, Online Store, Self-‐care, Telcos, SCADA, ...)
Why Applica/on Security ?
Age of An/virus Age of Network Security
Age of Applica/on Security
13
14(c) Verizon 2014
14(c) Verizon 2014
14(c) Verizon 2014
14(c) Verizon 2014
Who win ?
15(c) WhiteHatSecurity 2013
Vulnerabili/es ?
16(c) WhiteHatSecurity 2013
Mission Driven
Nonprofit | World Wide | Unbiased !
OWASP does not endorse or recommend commercial products or services
What is OWASP
17
Community Driven
30,000 Mail List Par/cipants 200 Ac/ve Chapters in 70 countries
1600+ Members, 56 Corporate Supporters
What is OWASP
18
200 Chapters, 1 600+ Members, 20 000+ Builders, Breakers and Defenders
Around the World
19
Quality Resources
200+ Projects 15,000+ downloads of tools, documenta/on
What is OWASP
20
Documenta&on
ToolsCode
50%
10% 40%
Quality Resources
21
Security Lifecycle
22
Security Resources
23
NEWS A BLOG
A PODCAST MEMBERSHIPS MAILING LISTS A NEWSLETTER
APPLE APP STORE VIDEO TUTORIALS
TRAINING SESSIONS SOCIAL NETWORKING
24
OWASP Projects
25
OWASP Top10 2013
26
A1: Injec&on
A2: Viola&on de Ges&on
d’authen&fica&on et de session
A3: Cross Site Scrip&ng (XSS)
A4:Référence directe non sécurisée à un
objet
A5: Mauvaise configura&on sécurité
A6 : Exposi&on de données sensibles
A8: Cross Site Request Forgery (CSRF)
A10: Redirec&ons et transferts non validés
A7: Manque de contrôle d’accès fonc&onnel
A9: U&lisa&on de composants avec des vulnérabilités connues
OWASP Top10 2013
26
A1: Injec&on
A2: Viola&on de Ges&on
d’authen&fica&on et de session
A3: Cross Site Scrip&ng (XSS)
A4:Référence directe non sécurisée à un
objet
A5: Mauvaise configura&on sécurité
A6 : Exposi&on de données sensibles
A8: Cross Site Request Forgery (CSRF)
A10: Redirec&ons et transferts non validés
A7: Manque de contrôle d’accès fonc&onnel
A9: U&lisa&on de composants avec des vulnérabilités connues
ex-‐A9(transport non sécurisé) + A7(Stockage crypto)
OWASP Top10 2013
26
A1: Injec&on
A2: Viola&on de Ges&on
d’authen&fica&on et de session
A3: Cross Site Scrip&ng (XSS)
A4:Référence directe non sécurisée à un
objet
A5: Mauvaise configura&on sécurité
A6 : Exposi&on de données sensibles
A8: Cross Site Request Forgery (CSRF)
A10: Redirec&ons et transferts non validés
A7: Manque de contrôle d’accès fonc&onnel
A9: U&lisa&on de composants avec des vulnérabilités connues
ex-‐A9(transport non sécurisé) + A7(Stockage crypto)
Developer Cheat Sheets § PHP Security Cheat Sheet § OWASP Top Ten Cheat Sheet § Authen/ca/on Cheat Sheet § Cross-‐Site Request Forgery (CSRF) Preven&on Cheat
Sheet § Cryptographic Storage Cheat Sheet § Input Valida/on Cheat Sheet § XSS (Cross Site Scrip&ng) Preven&on Cheat Sheet § DOM based XSS Preven/on Cheat Sheet § Forgot Password Cheat Sheet § Query Parameteriza&on Cheat Sheet § SQL Injec&on Preven&on Cheat Sheet § Session Management Cheat Sheet § HTML5 Security Cheat Sheet § Transport Layer Protec/on Cheat Sheet § Web Service Security Cheat Sheet § Logging Cheat Sheet § JAAS Cheat Sheet
Mobile Cheat Sheets § IOS Developer Cheat Sheet § Mobile Jailbreaking Cheat Sheet Drax Cheat Sheets § Access Control Cheat Sheet § REST Security Cheat Sheet § Abridged XSS Preven/on Cheat Sheet § Password Storage Cheat Sheet § Secure Coding Cheat Sheet § Threat Modeling Cheat Sheet § Clickjacking Cheat Sheet § Virtual Patching Cheat Sheet § Secure SDLC Cheat Sheet § Web Applica/on Security Tes/ng Cheat
Sheet § Applica/on Security Architecture Cheat
Sheet
Cheat Sheets
27
Project Leader: Chris Schmidt, [email protected] Purpose: A free, open source, web applica/on security control library that makes it easier for programmers to write lower-‐risk applica/ons !!
!!!!!!!!!
hgps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Enterprise Security API
28
PHP Version : https://code.google.com/p/owasp-esapi-php/
Project Leader: Abbas Naderi, [email protected]
Purpose: OWASP PHP Security Project is an effort by a group of PHP developers in securing PHP web applica/ons, using a collec&on of decoupled flexible secure PHP libraries, as well as a collec&on of PHP tools.
OWASP PHP Security Project
29
hgps://www.owasp.org/index.php/OWASP_PHP_Security_Project
Development Guide: comprehensive manual for designing, developing and deploying secure Web Applica/ons and Web Services Code Review Guide: mechanics of reviewing code for certain vulnerabili/es & valida/on of proper security controls Tes/ng Guide: understand the what, why, when, where, and how of tes/ng web applica/ons !
!
hgps://www.owasp.org/index.php/Category:OWASP_Guide_Project hgps://www.owasp.org/index.php/Category:OWASP_Code_Review_Project hgps://www.owasp.org/index.php/Category:OWASP_Tes/ng_Project
Guides
30
Zed Agack Proxy
Project Leader: Simon Bennegs (aka Psiinon), [email protected] Purpose: The Zed Agack Proxy (ZAP) provides automated scanners as well as a set of tools that allow you to find security vulnerabili/es manually in web applica/ons. Last Release: ZAP 2.3.1 (21 May 2014) !!
!!!!!!!!
hgps://www.owasp.org/index.php/OWASP_Zed_Agack_Proxy_Project 31
Intended to help soxware developers and their clients nego/ate important contractual terms and condi/ons related to the security of the soxware to be developed or delivered. CONTEXT: Most contracts are silent on these issues, and the par/es frequently have drama/cally different views on what has actually been agreed to. OBJECTIVE: Clearly define these terms is the best way to ensure that both par/es can make informed decisions about how to proceed.
hgps://www.owasp.org/index.php/OWASP_Secure_Soxware_Contract_Annex
The OWASP Secure Soxware Contract Annex
32
Dates
• RSSIA Bordeaux : 20 Juin – HeartBleed revisited
• AppSec Europe 2014 -‐ Cambridge : !!!!!
• Java User Groupe Lille & Paris – Secure Coding for Java a la rentrée 2014
• Club 27001 /Paris -‐ 25 Septembre 2014 –Présenta/on de la norme ISO 27034
33
Soutenir l’OWASP
• Différentes solu/ons : – Membre Individuel : 50 $ – Membre Entreprise : 5000 $ – Dona/on Libre
• Soutenir uniquement le chapitre France : – Single Mee/ng supporter
• Nous offrir une salle de mee/ng ! • Par/ciper par un talk ou autre ! • Dona/on simple
– Local Chapter supporter : • 500 $ à 2000 $
34