Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

  • View
    77

  • Download
    1

Embed Size (px)

Text of Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

1. Ten Commandments of Secure Coding OWASP Top Ten Proactive Controls Mateusz Olejarka OWASP Poland 2. Mateusz Olejarka @molejarka Senior IT Security Consultant @SecuRing Ex-developer OWASP Poland since 2011 3. OWASP O = Open Docs & tools free Creative Commons license open source Build with open collaboration in mind Each one of you can join 3 4. OWASP Poland Chapter Since 2007 Meetings: Krakw, Pozna, Warszawa Free entry Supporters: 5. 4Developers 2014* questionnaire * SecuRings study Praktyki wytwarzania bezpiecznego oprogramowania w polskich firmach 2014 62% companies do not educate programmers on application security >50% companies do not consider security during the design stage 73% participants confirmed, that they fixed security related issues only 42% confirmed, that they do security testing before production deployment 6. OWASP Top10 Risk vs OWASP Top10 Proactive Controls 7. Disclaimer Do not rely your application security on Top 10 * It is purely educational material Each application has its own risk profile 8. Thou shalt parametrize queries 1: Parametrize queries 9. SQL/LDAP/XML/cmd/-injection Easily exploitable Simple to use tools exist Devastating impact rdo: http://xkcd.com/327/ 10. Best practices #1 Prepared Statements / Parametrized Queries #2 Stored Procedures Watch for exeptions! (eval,dynamic block, etc.) #3 Escaping risky! String newName = request.getParameter("newName"); String id = request.getParameter("id"); PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); 11. References Bobby Tables: A guide to preventing SQL injection Query Parameterization Cheat Sheet SQL Injection Prevention Cheat Sheet OWASP Secure Coding Practices Quick Reference Guide 12. 2: Thou shalt encode data 2: Encode Data 13. XSS Site defacement Session hijacking 14. Results of missing encoding Session hijacking Network scanning CSRF prevention bypass Site defacement (browser) Browser hijack vide BeEF 15. Cross Site Scripting But when we write output inside pure JavaScript: trn_recipient=';alert('xss');--