Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.
2. ABOUT ME
PHILIPPE GAMACHE
HI I’M PHILIPPE
I’m a Developer Evangelist for kuzzle.io.
Long-time internet developer, author,
screen caster, podcaster and speaker. I’m
specializes in PHP, Symfony, Kuzzle,
security, code quality, performance, real
time and geolocation.
• Sécurité PHP 5 et MySQL 5
• OWASP Montreal
• PHP Quebec
• Table Top Game Developer
• Pen & Paper RPG Writer
3. PURPOSE OF THE PRESENTATION
• OWASP Top 10 Proactive Controls 2016
• 10 critical security areas that web developers must be aware
• https://www.owasp.org/index.php/OWASP_Proactive_Controls
• OWASP Top 10
• 10 Most Critical Web Application Security Risks
• https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
WHY WE ARE TALKING ABOUT THIS?
4. OPEN WEB APPLICATION SECURITY PROJECT
• It is a 501c3 not-for-profit and also registered in Europe as a worldwide
charitable organization.
• Focused on improving the security of software.
• Mission is to make application security visible, so that people and
organizations can make informed decisions about true application
security risks.
• Everyone is welcome to participate in OWASP and all materials are
available under free and open software licenses.
CORE MISSION
5. OPEN WEB APPLICATION SECURITY PROJECT
• A1 — Injection
• Injection flaws, such as SQL, OS, XXE, and LDAP injection occurs when
untrusted data is sent to an interpreter as part of a command or query.
The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing data without proper authorization.
• A2 — Broken Authentication and Session Management
• Application functions related to authentication and session management
are often implemented incorrectly, allowing attackers to compromise
passwords, keys, or session tokens, or to exploit other implementation
flaws to assume other users’ identities (temporarily or permanently).
TOP 10 APPLICATION SECURITY RISKS - 2017
6. OPEN WEB APPLICATION SECURITY PROJECT
• A3 — Cross-Site Scripting (XSS)
• XSS flaws occur whenever an application includes untrusted data in a new
web page without proper validation or escaping, or updates an existing web
page with user supplied data using a browser API that can create JavaScript.
XSS allows attackers to execute scripts in the victim’s browser which can
hijack user sessions, deface web sites, or redirect the user to malicious sites.
• A4 — Broken Access Control
• Restrictions on what authenticated users are allowed to do are not properly
enforced. Attackers can exploit these flaws to access unauthorized
functionality and/or data, such as access other users’ accounts, view sensitive
files, modify other users’ data, change access rights, etc.
TOP 10 APPLICATION SECURITY RISKS - 2017
7. OPEN WEB APPLICATION SECURITY PROJECT
• A5 — Security Misconfiguration
• Good security requires having a secure configuration defined and deployed for
the application, frameworks, application server, web server, database server,
platform, etc. Secure settings should be defined, implemented, and maintained,
as defaults are often insecure. Additionally, software should be kept up to date.
• A6 — Sensitive Data Exposure
• Many web applications and APIs do not properly protect sensitive data, such as
financial, healthcare, and PII. Attackers may steal or modify such weakly
protected data to conduct credit card fraud, identity theft, or other crimes.
Sensitive data deserves extra protection such as encryption at rest or in transit,
as well as special precautions when exchanged with the browser.
TOP 10 APPLICATION SECURITY RISKS - 2017
8. OPEN WEB APPLICATION SECURITY PROJECT
• A7 — Insufficient Attack Protection
• The majority of applications and APIs lack the basic ability to detect, prevent, and
respond to both manual and automated attacks. Attack protection goes far beyond
basic input validation and involves automatically detecting, logging, responding,
and even blocking exploit attempts. Application owners also need to be able to
deploy patches quickly to protect against attacks.
• A8 — Cross-Site Request Forgery (CSRF)
• A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request,
including the victim’s session cookie and any other automatically included
authentication information, to a vulnerable web application. Such an attack allows
the attacker to force a victim’s browser to generate requests the vulnerable
application thinks are legitimate requests from the victim.
TOP 10 APPLICATION SECURITY RISKS - 2017
9. OPEN WEB APPLICATION SECURITY PROJECT
• A9 — Using Components with Known Vulnerabilities
• Components, such as libraries, frameworks, and other software modules, run
with the same privileges as the application. If a vulnerable component is
exploited, such an attack can facilitate serious data loss or server takeover.
Applications and APIs using components with known vulnerabilities may
undermine application defenses and enable various attacks and impacts.
• A10 — Underprotected APIs
• Modern applications often involve rich client applications and APIs, such as
JavaScript in the browser and mobile apps, that connect to an API of some
kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often
unprotected and contains numerous vulnerabilities.
TOP 10 APPLICATION SECURITY RISKS - 2017
10. VERIFY FOR SECURITY EARLY AND OFTEN
• Security testing is not made part of Software Development Life Cycle/
Agile.
• Carried out by others than the development team.
• Development team tries to fix them without putting much thought from
coding and programming point of view.
PROBLEM STATEMENT
11. VERIFY FOR SECURITY EARLY AND OFTEN
• Security must be integral part of SDLC/Agile.
• Include security while writing testing stories and tasks.
• Include the Proactive Controls in stubs and drivers.
• Security testing stories should be defined such that the lowest child story can be
implemented and accepted in a single iteration.
• Testing a Proactive Control must be lightweight.
• Consider OWASP Application Security Verification Standard (ASVS) as a guide to define
security requirements and testing.
• Convert scanning output into reusable Proactive Controls to avoid entire classes of
problems.
CONTROL EXPLAINED
12. VERIFY FOR SECURITY EARLY AND OFTEN
• https://www.owasp.org/index.php/OWASP_Testing_Project
• https://www.owasp.org/index.php/
Category:OWASP_Application_Security_Verification_Standard_Project
• http://devops.com/2015/04/06/automated-security-testing-
continuous-delivery-pipeline/
• https://www.continuumsecurity.net/bdd-security/
• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
• https://www.owasp.org/index.php/OWASP_OWTF
RESSOURCES
13. VERIFY FOR SECURITY EARLY AND OFTEN
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A9 - Using
Components with
Known
Vulnerabilities
14. PARAMETERIZE QUERIES
• Web application can be used to run dangerous OS commands;
• Against the OS hosting the database.
• SQL query and its parameters are contained in one query string.
PROBLEM STATEMENT
15. PARAMETERIZE QUERIES
• Untrusted input should be prevented from being interpreted as part of
an SQL command:
• Use “Query Parameterization”;
• SQL statements are sent to and parsed by the database server
separately from any parameters.
CONTROL EXPLAINED
16. PARAMETERIZE QUERIES
QUERY PARAMETERIZATION
$dbh =
new PDO("pgsql:host={$host};port={$port};dbname={$db};user={$user};password={$pass}");
$stmt = $dbh->prepare("update users set email=:new_email where id=:user_id");
$stmt->bindParam(':new_email', $email);
$stmt->bindParam(':user_id', $id);
17. PARAMETERIZE QUERIES
• Use defense in depth;
• Use automated static analysis;
• Use proper database management system configuration.
• Configure database engines to only support parameterized queries.
CONTROL EXPLAINED
19. PARAMETERIZE QUERIES
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A9 - Using
Components with
Known
Vulnerabilities
20. ENCODE DATA
PROBLEM STATEMENT
• Web forms written to accept inputs from untrusted sources/users.
• Attacker tricks users into executing malicious script that was not
originally built into the website.
• Manipulation of user response.
• XSS attacks execute in the user’s browser.
• Same risk remains in mobile based applications as well.
21. ENCODE DATA
CONTROL EXPLAINED
• Encoding is translating special characters into some equivalent form that is no
longer dangerous in the target interpreter.
• Manipulating user generated content:
• Ensure that data is filtered;
• Ensure that data is encoded.
• Loading content from an external source:
• Apps that need to display untrusted content inside a Web View should use a
dedicated server/host to render and escape HTML/Javascript content in a safe
way. Prevents access to local system contents by malicious JavaScript code.
23. ENCODE DATA
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A9 - Using
Components with
Known
Vulnerabilities
24. VALIDATE ALL INPUTS
PROBLEM STATEMENT
• All the data directly entered by users should be treated as untrusted.
• An application should check that this data is both syntactically and
semantically valid (in that order) before using it in any way.
• The most secure applications treat all variables as untrusted and provide
security controls regardless of the source.
25. VALIDATE ALL INPUTS
CONTROL EXPLAINED
• Use two general approaches to performing input syntax validation white
listing preferred over black listing.
• Regular expressions offer a way to check whether data matches a specific
pattern this is a great way to implement whitelist validation.
• The security of the application should be enforced where that input is used:
• If input is used to build an HTML response, then the appropriate HTML
encoding should be performed to prevent XSS attacks.
• If input is used to build a SQL statement, Query Parameterization should
be used.
26. VALIDATE ALL INPUTS
FILE UPLOAD
• Generic Upload Verification:
• Check filename;
• Check file size;
• Ensure decompressed size of file < maximum size;
• Ensure that an uploaded archive matches the type expected (zip, rar);
• Ensure structured uploads such as an add-on follow proper standard;
• And maybe check with an anti-virus.
27. VALIDATE ALL INPUTS
FILE UPLOAD
• Image Upload Verification:
• Enforce proper image size limits;
• Use image rewriting libraries;
• Set the extension of the stored image to be a valid image extension;
• Ensure the detected content type of the image is safe.
28. VALIDATE ALL INPUTS
FILE UPLOAD
• If you can, check files on separate server.
• Beware of "special" files:
• "crossdomain.xml", "clientaccesspolicy.xml", "index.php", "config.yml",
".htaccess", "faveicon.ico", "composer.json"…
• Upload Storage:
• Use only trusted filenames + separate domain.
29. VALIDATE ALL INPUTS
VALIDATION AND SANITIZATION
<?php
$sanitized_email = filter_var($email, FILTER_SANITIZE_EMAIL);
if (filter_var($sanitized_email, FILTER_VALIDATE_EMAIL)) {
echo "This sanitized email address is considered valid.n";
}
31. VALIDATE ALL INPUTS
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A9 - Using
Components with
Known
Vulnerabilities
32. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS
PROBLEM STATEMENT
• Session management has to be secured in application flow to maintain
the state of entity interacting with the server.
• Only authorized users must be accessing the resources after enough
authentication.
33. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS
CONTROL EXPLAINED
• Do not limit the type of characters or length of user password within
reason;
• Limiting passwords to protect against injection is doomed to failure.
• Use proper encoder and other defenses described instead.
• Be wary of systems that allow unlimited password sizes.
34. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS
CONTROL EXPLAINED
• Use Multi-Factor Authentication.
• Implement Secure Password Storage using cryptography controls.
• Implement Secure Password Recovery Mechanism.
• Session: Generation and Expiration: On any successful authentication and
reauthentication the software should generate a new session and session id.
• Mandatory to set expiration timeouts for every session, after a specified
period of inactivity.
• Reauthentication for Sensitive Features.
35. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS
PASSWORD ENCODING
<?php
$cost = 15;
// From PHP 5.5 to 7.1 PASSWORD_DEFAULT to using the bcrypt algorithm
$password_hash = password_hash("secret_password", PASSWORD_DEFAULT, ["cost" => $cost] );
36. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS
CONTROL EXPLAINED - MOBILE APPLICATION OR API
• Token Based Authentication.
• Avoid storing/persisting authentication credentials locally on the device.
• Perform initial authentication using the username and password supplied
by the user, and then generate a short-lived access token which can be
used to authenticate a client's request without sending the user’s
credentials.
38. IMPLEMENT IDENTITY AND AUTHENTICATION CONTROLS
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A1A9 - Using
Components with
Known
Vulnerabilities
39. IMPLEMENT APPROPRIATE ACCESS CONTROLS
PROBLEM STATEMENT
• Access Control is one of the main areas of application security design that must be
heavily thought through up front, especially when addressing requirements like
multitenancy and horizontal (data specific) access control.
• Hard-coded role checks in application code:
• Lack of centralized access control logic;
• Untrusted data driving access control decisions;
• Access control that is "open by default";
• Lack of addressing horizontal access control in a standardized way (if at all);
• Access control logic that needs to be manually added to every endpoint in code;
• Access Control that is “sticky” per session;
• Access Control that requires per-user policy.
40. IMPLEMENT APPROPRIATE ACCESS CONTROLS
CONTROL EXPLAINED
• Force All Requests to go Through Access Control Checks.
• Deny by Default.
• Principle of Least Privilege: each user or system component should be allocated the
minimum privilege required to perform an action for the minimum amount of time.
• Avoid Hard Coded Access Control Checks: enforcement layer (checks in code) and your
access control decision-making process (the access control "engine") should be separated
when possible.
• Code to the Activity: Consider checking if the user has access to that feature in code, as
opposed checking what role the user is in code.
• Server side Trusted Data Should Drive Access Control. Policy data such as a user’s role or an
access control rule should never be part of the request.
41. IMPLEMENT APPROPRIATE ACCESS CONTROLS
CODE TO THE ACTIVITY
<?php
// Instead of hard-coding role check all throughout your code base
if ($user->hasRole("ADMIN")) || ($user->hasRole("MANAGER")) {
deleteAccount();
}
// Consider the following instead
if ($user->hasAccess("DELETE_ACCOUNT")) {
deleteAccount();
}
43. IMPLEMENT APPROPRIATE ACCESS CONTROLS
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A1A9 - Using
Components with
Known
Vulnerabilities
44. PROTECT DATA
PROBLEM STATEMENT
• Access Control is one of the main areas of application security design
that must be heavily thought through up front, especially when
addressing requirements like multitenancy and horizontal (data specific)
access control.
45. PROTECT DATA
CONTROL EXPLAINED
• Classify and Encrypt Data at rest.
• Develop your own crypto algorithm & key size should be optly chosen.
46. PROTECT DATA
CONTROL EXPLAINED
• Encrypt Data in Transit. TLS is by far the most common and widely
supported model used by web applications for encryption in transit:
• Confidentiality: Spy cannot view your data;
• Integrity: Spy cannot change your data
• Authenticity: Server you are visiting is the right one.
• Implement Protection in Transit.
49. PROTECT DATA
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A1A9 - Using
Components with
Known
Vulnerabilities
50. IMPLEMENT LOGGING AND INTRUSION DETECTION
PROBLEM STATEMENT
• Logging is used in BIA, Monitoring, Forensics, compliance and intrusion
detection.
• It must be designed properly from early SDLC stage.
51. IMPLEMENT LOGGING AND INTRUSION DETECTION
CONTROL EXPLAINED
• Ensure proper level of logging
• Follow a common logging approach within the system and across systems
where possible to make correlation easy
• Make sure to always log the timestamp and identifying information like
the source IP and userid, but be careful not to log private or confidential
data or opt out data or secrets
• Design proper positioning of IDS sensors and management.
53. IMPLEMENT LOGGING AND INTRUSION DETECTION
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A1A9 - Using
Components with
Known
Vulnerabilities
54. LEVERAGE SECURITY FRAMEWORKS AND LIBRARIES
PROBLEM STATEMENT
• Starting from scratch when it comes to developing security controls for
every web application, web service or mobile application leads to wasted
time and massive security holes.
55. LEVERAGE SECURITY FRAMEWORKS AND LIBRARIES
CONTROL EXPLAINED
• When possible, the emphasis should be on using the existing secure
features of frameworks rather than importing third party libraries. It is
preferable to have developers take advantage of what they’re already
using instead of forcing yet another library on them.
• Not all the frameworks are completely secured hence it is important to
build in additional security where possible, updating frequently and
verifying them for security early and often like any other software you
depend upon.
57. LEVERAGE SECURITY FRAMEWORKS AND LIBRARIES
OWASP TOP 10 VULNERABILITY/ATTACKS
A1 - Injection
A2 - Broken
Authentication
and Session
Management
A3 - Cross-Site
Scripting (XSS)
A4 - Broken Access
Control
A5 - Security
Misconfiguration
A6 - Sensitive Data
Exposure
A10 -
Underprotected
APIs
A7 - Insufficient
Attack Protection
A8 — Cross-Site
Request Forgery
(CSRF)
A1A9 - Using
Components with
Known
Vulnerabilities
58. ERROR AND EXCEPTION HANDLING
PROBLEM STATEMENT
• Implementing correct errors and exceptions handling isn’t exciting, but
like input data validation, it is an important part of defensive coding,
critical to making a system reliable as well as secure.
• Mistakes in error handling can lead to different kinds of security
vulnerabilities.
59. ERROR AND EXCEPTION HANDLING
CONTROL EXPLAINED
• Manage exceptions in a centralized manner to avoid duplicating try/catch
blocks in the code, and to ensure that all unexpected behaviors are
correctly handled inside the application.
• Ensure that error messages displayed to users do not leak critical data,
but are still verbose enough to explain the issue to the user.
• Ensure that exceptions are logged in a way that gives enough
information for Q/A, forensics or incident response teams to understand
the problem.