Você está na página 1de 48
Java Web Application Security Matt Raible http://raibledesigns.com @mraible Photos by Trish -
Java Web Application Security
Java Web Application Security
Java Web Application Security Matt Raible http://raibledesigns.com @mraible Photos by Trish -

Matt Raible http://raibledesigns.com @mraible

Security Matt Raible http://raibledesigns.com @mraible Photos by Trish - http://mcginityphoto.com © 2013 Raible
Security Matt Raible http://raibledesigns.com @mraible Photos by Trish - http://mcginityphoto.com © 2013 Raible

Photos by Trish - http://mcginityphoto.com

Matt Raible http://raibledesigns.com @mraible Photos by Trish - http://mcginityphoto.com © 2013 Raible Designs

© 2013 Raible Designs

Who is Matt Raible?

Who is Matt Raible ? Father, Skier, Cyclist Web Framework Connoisseur Founder of Blogger on ©
Who is Matt Raible ? Father, Skier, Cyclist Web Framework Connoisseur Founder of Blogger on ©
Father, Skier, Cyclist
Father, Skier, Cyclist
Web Framework Connoisseur
Web Framework Connoisseur
Founder of
Founder of
Blogger on
Blogger on

© 2013 Raible Designs

Why am I here?
Why am I here?
Purpose
Purpose
Why am I here? Purpose To learn more about Java webapp security and transform myself into
Why am I here? Purpose To learn more about Java webapp security and transform myself into

To learn more about Java webapp security and transform myself into a security expert.

webapp security and transform myself into a security expert. Goals Show how to implement Java webapp
Goals
Goals
Show how to implement Java webapp security.
Show how to implement Java webapp security.
Show how to penetrate a Java webapp.
Show how to penetrate a Java webapp.
Show how to fix vulnerabilities.
Show how to fix vulnerabilities.

© 2013 Raible Designs

Why are you here?
Why are you here?
For the free beer?
For the free beer?
Why are you here? For the free beer? Because you care about security? Have you used
Why are you here? For the free beer? Because you care about security? Have you used

Because you care about security?

here? For the free beer? Because you care about security? Have you used Java EE 6,
here? For the free beer? Because you care about security? Have you used Java EE 6,
here? For the free beer? Because you care about security? Have you used Java EE 6,

Have you used Java EE 6, Spring Security or Apache Shiro?

Have you used Java EE 6, Spring Security or Apache Shiro? What do you want to
Have you used Java EE 6, Spring Security or Apache Shiro? What do you want to
Have you used Java EE 6, Spring Security or Apache Shiro? What do you want to

What do you want to get from this talk?

Have you used Java EE 6, Spring Security or Apache Shiro? What do you want to

© 2013 Raible Designs

Have you used Java EE 6, Spring Security or Apache Shiro? What do you want to
Session Agenda
Session Agenda
Session Agenda Security Development Java EE 6, Spring Security, Apache Shiro SSL and Testing Verifying Security

Security Development Java EE 6, Spring Security, Apache Shiro

Development Java EE 6, Spring Security, Apache Shiro SSL and Testing Verifying Security OWASP Top 10
Development Java EE 6, Spring Security, Apache Shiro SSL and Testing Verifying Security OWASP Top 10
SSL and Testing
SSL and Testing
Java EE 6, Spring Security, Apache Shiro SSL and Testing Verifying Security OWASP Top 10 &

Verifying Security OWASP Top 10 & Zed Attack Proxy

Verifying Security OWASP Top 10 & Zed Attack Proxy Commercial Tools and Services Conclusion Develop Penetrate
Verifying Security OWASP Top 10 & Zed Attack Proxy Commercial Tools and Services Conclusion Develop Penetrate
Commercial Tools and Services
Commercial Tools and Services
Conclusion
Conclusion
Develop
Develop
Penetrate
Penetrate

© 2013 Raible Designs

Protect
Protect
Relax
Relax
Develop
Develop
Develop © 2013 Raible Designs
Develop © 2013 Raible Designs
Develop © 2013 Raible Designs

© 2013 Raible Designs

Dynamic Language Support?
Dynamic Language Support?
Dynamic Language Support? If it deploys on Tomcat, it has a web.xml Grails JRuby on Rails
Dynamic Language Support? If it deploys on Tomcat, it has a web.xml Grails JRuby on Rails
Dynamic Language Support? If it deploys on Tomcat, it has a web.xml Grails JRuby on Rails

If it deploys on Tomcat, it has a web.xml Grails JRuby on Rails Lift Play! Framework

Support? If it deploys on Tomcat, it has a web.xml Grails JRuby on Rails Lift Play!
Support? If it deploys on Tomcat, it has a web.xml Grails JRuby on Rails Lift Play!
Support? If it deploys on Tomcat, it has a web.xml Grails JRuby on Rails Lift Play!
Support? If it deploys on Tomcat, it has a web.xml Grails JRuby on Rails Lift Play!
Support? If it deploys on Tomcat, it has a web.xml Grails JRuby on Rails Lift Play!
Support? If it deploys on Tomcat, it has a web.xml Grails JRuby on Rails Lift Play!
Support? If it deploys on Tomcat, it has a web.xml Grails JRuby on Rails Lift Play!
Support? If it deploys on Tomcat, it has a web.xml Grails JRuby on Rails Lift Play!
Support? If it deploys on Tomcat, it has a web.xml Grails JRuby on Rails Lift Play!

© 2013 Raible Designs

Java EE 6
Java EE 6
Java EE 6 Security constraints defined in web.xml web resource collection - URLs and methods authorization
Java EE 6 Security constraints defined in web.xml web resource collection - URLs and methods authorization

Security constraints defined in web.xml web resource collection - URLs and methods authorization constraints - role names user data constraint - HTTP or HTTPS

- role names user data constraint - HTTP or HTTPS User Realm defined by App Server
- role names user data constraint - HTTP or HTTPS User Realm defined by App Server
- role names user data constraint - HTTP or HTTPS User Realm defined by App Server
- role names user data constraint - HTTP or HTTPS User Realm defined by App Server
- role names user data constraint - HTTP or HTTPS User Realm defined by App Server
- role names user data constraint - HTTP or HTTPS User Realm defined by App Server
User Realm defined by App Server
User Realm defined by App Server
constraint - HTTP or HTTPS User Realm defined by App Server Declarative or Programmatic Authentication Annotations
constraint - HTTP or HTTPS User Realm defined by App Server Declarative or Programmatic Authentication Annotations
constraint - HTTP or HTTPS User Realm defined by App Server Declarative or Programmatic Authentication Annotations

Declarative or Programmatic Authentication

Annotations Support
Annotations Support
User Realm defined by App Server Declarative or Programmatic Authentication Annotations Support © 2013 Raible Designs

© 2013 Raible Designs

Java EE 6 Demo © 2013 Raible Designs
Java EE 6 Demo
Java EE 6 Demo
Java EE 6 Demo © 2013 Raible Designs

© 2013 Raible Designs

Servlet 3.0
Servlet 3.0
Servlet 3.0 HttpServletRequest authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) ©
Servlet 3.0 HttpServletRequest authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) ©

HttpServletRequest authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name)

authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2013 Raible Designs
authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2013 Raible Designs
authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2013 Raible Designs
authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2013 Raible Designs
authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2013 Raible Designs
authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2013 Raible Designs
authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2013 Raible Designs
authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2013 Raible Designs
authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2013 Raible Designs
authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2013 Raible Designs
authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2013 Raible Designs

© 2013 Raible Designs

Servlet 3.0 and JSR 250 Annotations @ServletSecurity @HttpMethodConstraint @HttpConstraint @RolesAllowed @PermitAll
Servlet 3.0 and JSR 250
Annotations
@ServletSecurity
@HttpMethodConstraint
@HttpConstraint
@RolesAllowed
@PermitAll
@DenyAll

© 2013 Raible Designs

Java EE Security Limitations
Java EE Security Limitations
Java EE Security Limitations No error messages for failed logins No Remember Me Container has to

No error messages for failed logins

EE Security Limitations No error messages for failed logins No Remember Me Container has to be
No Remember Me
No Remember Me
No error messages for failed logins No Remember Me Container has to be configured Doesn’t support

Container has to be configured

failed logins No Remember Me Container has to be configured Doesn’t support regular expressions for URLs
failed logins No Remember Me Container has to be configured Doesn’t support regular expressions for URLs

Doesn’t support regular expressions for URLs

No Remember Me Container has to be configured Doesn’t support regular expressions for URLs © 2013
No Remember Me Container has to be configured Doesn’t support regular expressions for URLs © 2013
No Remember Me Container has to be configured Doesn’t support regular expressions for URLs © 2013

© 2013 Raible Designs

Spring Security
Spring Security
Spring Security Filter defined in web.xml Separate security context file loaded by Spring Defines URLs, Roles
Spring Security Filter defined in web.xml Separate security context file loaded by Spring Defines URLs, Roles
Spring Security Filter defined in web.xml Separate security context file loaded by Spring Defines URLs, Roles

Filter defined in web.xml

Spring Security Filter defined in web.xml Separate security context file loaded by Spring Defines URLs, Roles
Separate security context file loaded by Spring Defines URLs, Roles and Authentication Providers Defines UserService
Separate security context file loaded by Spring
Defines URLs, Roles and Authentication Providers
Defines UserService (provided or custom)
Password Encoding
Remember Me

© 2013 Raible Designs

Spring Security Demo © 2013 Raible Designs
Spring Security Demo
Spring Security Demo
Spring Security Demo © 2013 Raible Designs

© 2013 Raible Designs

Securing Methods
Securing Methods
Securing Methods <global-method-security secured-annotations= "enabled" />

<global-method-security secured-annotations="enabled"/>

secured-annotations= "enabled" /> @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public

@Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account readAccount(Long id);

@Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account[] findAccounts();

@Secured("ROLE_TELLER") public Account post(Account account, double amount);

<global-method-security jsr250-annotations="enabled"/>

account, double amount); <global-method-security jsr250-annotations= "enabled" /> © 2013 Raible Designs
account, double amount); <global-method-security jsr250-annotations= "enabled" /> © 2013 Raible Designs

© 2013 Raible Designs

Securing Methods 3.x
Securing Methods 3.x

<global-method-security pre-post-annotations="enabled"/>

pre-post-annotations= "enabled" /> @PreAuthorize("isAnonymous()") public Account
pre-post-annotations= "enabled" /> @PreAuthorize("isAnonymous()") public Account

@PreAuthorize("isAnonymous()") public Account readAccount(Long id);

@PreAuthorize("isAnonymous()") public Account[] findAccounts();

@PreAuthorize("hasAuthority('ROLE_TELLER')") public Account post(Account account, double amount);

© 2013 Raible Designs

Spring Security Limitations
Spring Security Limitations
Spring Security Limitations Authentication mechanism in WAR Securing methods only works on Spring beans My remember

Authentication mechanism in WAR

Spring Security Limitations Authentication mechanism in WAR Securing methods only works on Spring beans My remember
Spring Security Limitations Authentication mechanism in WAR Securing methods only works on Spring beans My remember

Securing methods only works on Spring beans

mechanism in WAR Securing methods only works on Spring beans My remember me example doesn’t work
mechanism in WAR Securing methods only works on Spring beans My remember me example doesn’t work

My remember me example doesn’t work

mechanism in WAR Securing methods only works on Spring beans My remember me example doesn’t work
mechanism in WAR Securing methods only works on Spring beans My remember me example doesn’t work

© 2013 Raible Designs

Apache Shiro
Apache Shiro
Apache Shiro Filter defined in web.xml shiro.ini loaded from classpath [main], [urls], [roles] Cryptography Session
Apache Shiro Filter defined in web.xml shiro.ini loaded from classpath [main], [urls], [roles] Cryptography Session

Filter defined in web.xml

Apache Shiro Filter defined in web.xml shiro.ini loaded from classpath [main], [urls], [roles] Cryptography Session

shiro.ini loaded from classpath [main], [urls], [roles]

in web.xml shiro.ini loaded from classpath [main], [urls], [roles] Cryptography Session Management © 2013 Raible Designs
in web.xml shiro.ini loaded from classpath [main], [urls], [roles] Cryptography Session Management © 2013 Raible Designs
Cryptography
Cryptography
Session Management
Session Management
in web.xml shiro.ini loaded from classpath [main], [urls], [roles] Cryptography Session Management © 2013 Raible Designs

© 2013 Raible Designs

Apache Shiro Demo © 2013 Raible Designs
Apache Shiro Demo
Apache Shiro Demo
Apache Shiro Demo © 2013 Raible Designs

© 2013 Raible Designs

Apache Shiro Limitations
Apache Shiro Limitations
Limited Documentation
Limited Documentation
Apache Shiro Limitations Limited Documentation Getting Roles via LDAP not supported No out-of-box support for Kerberos

Getting Roles via LDAP not supported

Limited Documentation Getting Roles via LDAP not supported No out-of-box support for Kerberos REST Support needs
Limited Documentation Getting Roles via LDAP not supported No out-of-box support for Kerberos REST Support needs

No out-of-box support for Kerberos

Getting Roles via LDAP not supported No out-of-box support for Kerberos REST Support needs work ©
Getting Roles via LDAP not supported No out-of-box support for Kerberos REST Support needs work ©

REST Support needs work

Getting Roles via LDAP not supported No out-of-box support for Kerberos REST Support needs work ©
Getting Roles via LDAP not supported No out-of-box support for Kerberos REST Support needs work ©

© 2013 Raible Designs

Testing with SSL
Testing with SSL
Testing with SSL Cargo doesn’t support http and https at same time Jetty and Tomcat plugins

Cargo doesn’t support http and https at same time

with SSL Cargo doesn’t support http and https at same time Jetty and Tomcat plugins work
with SSL Cargo doesn’t support http and https at same time Jetty and Tomcat plugins work

Jetty and Tomcat plugins work for both

https at same time Jetty and Tomcat plugins work for both Pass javax.net.ssl.trustStore &
https at same time Jetty and Tomcat plugins work for both Pass javax.net.ssl.trustStore &

Pass javax.net.ssl.trustStore & javax.net.ssl.trustStorePassword to maven-failsafe-plugin as <systemPropertyVariables>

javax.net.ssl.trustStorePassword to maven-failsafe-plugin as <systemPropertyVariables> © 2013 Raible Designs
javax.net.ssl.trustStorePassword to maven-failsafe-plugin as <systemPropertyVariables> © 2013 Raible Designs
javax.net.ssl.trustStorePassword to maven-failsafe-plugin as <systemPropertyVariables> © 2013 Raible Designs

© 2013 Raible Designs

javax.net.ssl.trustStorePassword to maven-failsafe-plugin as <systemPropertyVariables> © 2013 Raible Designs
Securing a REST API
Securing a REST API
Securing a REST API Use Basic or Form Authentication Use Developer Keys Use OAuth © 2013

Use Basic or Form Authentication

Securing a REST API Use Basic or Form Authentication Use Developer Keys Use OAuth © 2013
Use Developer Keys
Use Developer Keys
Use OAuth
Use OAuth
Securing a REST API Use Basic or Form Authentication Use Developer Keys Use OAuth © 2013

© 2013 Raible Designs

OAuth
OAuth
OAuth © 2013 Raible Designs

© 2013 Raible Designs

REST Security and OAuth Demo _ _ _ _ _ _ _ © 2013 Raible
REST Security and OAuth Demo
REST Security and OAuth Demo
_ _ _ _ _ _ _
_
_
_
_
_
_
_

© 2013 Raible Designs

Integrating OAuth with AppFuse and REST _ _ _ _ © 2013 Raible Designs
Integrating OAuth with AppFuse and REST
Integrating OAuth with AppFuse and REST
_ _ _ _
_
_
_
_

© 2013 Raible Designs

REST Security Resources
REST Security Resources
Implementing REST Authentication
Implementing REST Authentication
REST Security Resources Implementing REST Authentication Swagger ApiAuthorizationFilter © 2013 Raible Designs
Swagger ApiAuthorizationFilter
Swagger ApiAuthorizationFilter
REST Security Resources Implementing REST Authentication Swagger ApiAuthorizationFilter © 2013 Raible Designs

© 2013 Raible Designs

REST Security Resources
REST Security Resources
Spring Security OAuth
Spring Security OAuth
- version 1.0.1
- version 1.0.1
REST Security Resources Spring Security OAuth - version 1.0.1 Spring Social version 1.0.2 - Facebook, Twitter,

Spring Social version 1.0.2

-
-
Security OAuth - version 1.0.1 Spring Social version 1.0.2 - Facebook, Twitter, LinkedIn, TripIt, and GitHub
Security OAuth - version 1.0.1 Spring Social version 1.0.2 - Facebook, Twitter, LinkedIn, TripIt, and GitHub

Facebook, Twitter, LinkedIn, TripIt, and GitHub Bindings

1.0.1 Spring Social version 1.0.2 - Facebook, Twitter, LinkedIn, TripIt, and GitHub Bindings © 2013 Raible
1.0.1 Spring Social version 1.0.2 - Facebook, Twitter, LinkedIn, TripIt, and GitHub Bindings © 2013 Raible
1.0.1 Spring Social version 1.0.2 - Facebook, Twitter, LinkedIn, TripIt, and GitHub Bindings © 2013 Raible

© 2013 Raible Designs

Penetrate
Penetrate
OWASP Testing Guide and Code Review Guide
OWASP Testing Guide and Code Review Guide
OWASP Top 10
OWASP Top 10
OWASP Zed Attack Proxy
OWASP Zed Attack Proxy
Burp Suite
Burp Suite
OWASP WebGoat
OWASP WebGoat
Testing Guide and Code Review Guide OWASP Top 10 OWASP Zed Attack Proxy Burp Suite OWASP

© 2013 Raible Designs

OWASP
OWASP
OWASP The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software.

organization focused on improving the security of software. At OWASP you’ll find free and open Application
organization focused on improving the security of software. At OWASP you’ll find free and open Application
At OWASP you’ll find free and open
At OWASP you’ll find free and open
security of software. At OWASP you’ll find free and open Application security tools, complete books, standard
security of software. At OWASP you’ll find free and open Application security tools, complete books, standard

Application security tools, complete books, standard security controls and libraries, cutting edge research

security tools, complete books, standard security controls and libraries, cutting edge research © 2013 Raible Designs
security tools, complete books, standard security controls and libraries, cutting edge research © 2013 Raible Designs
security tools, complete books, standard security controls and libraries, cutting edge research © 2013 Raible Designs

© 2013 Raible Designs

Penetration Testing Demo
Penetration Testing Demo
_ _ _ _
_
_
_
_

© 2013 Raible Designs

Fixing ZAP Vulnerabilities
Fixing ZAP Vulnerabilities

<session-config>

<session-timeout>15</session-timeout>

<cookie-config>

<http-only>true</http-only>

<secure>true</secure>

</cookie-config>

<tracking-mode>COOKIE</tracking-mode>

</session-config>

<form action="${ctx}/j_security_check" id="loginForm" method="post" autocomplete="off">

© 2013 Raible Designs

7 Security (Mis)Configurations in web.xml 1. Error pages not configured Authentication & Authorization Bypass SSL

7 Security (Mis)Configurations in web.xml

7 Security (Mis)Configurations in web.xml 1. Error pages not configured Authentication & Authorization Bypass SSL
7 Security (Mis)Configurations in web.xml 1. Error pages not configured Authentication & Authorization Bypass SSL
7 Security (Mis)Configurations in web.xml 1. Error pages not configured Authentication & Authorization Bypass SSL
7 Security (Mis)Configurations in web.xml 1. Error pages not configured Authentication & Authorization Bypass SSL

1. Error pages not configured

in web.xml 1. Error pages not configured Authentication & Authorization Bypass SSL Not

Authentication & Authorization Bypass

not configured Authentication & Authorization Bypass SSL Not Configured Not Using the Secure Flag © 2013
SSL Not Configured
SSL Not Configured
Not Using the Secure Flag
Not Using the Secure Flag
configured Authentication & Authorization Bypass SSL Not Configured Not Using the Secure Flag © 2013 Raible
configured Authentication & Authorization Bypass SSL Not Configured Not Using the Secure Flag © 2013 Raible

© 2013 Raible Designs

7 Security (Mis)Configurations
7 Security (Mis)Configurations
7 Security (Mis)Configurations Not Using the HttpOnly Flag Using URL Parameters for Session Tracking Not Setting

Not Using the HttpOnly Flag

7 Security (Mis)Configurations Not Using the HttpOnly Flag Using URL Parameters for Session Tracking Not Setting
7 Security (Mis)Configurations Not Using the HttpOnly Flag Using URL Parameters for Session Tracking Not Setting

Using URL Parameters for Session Tracking

Not Using the HttpOnly Flag Using URL Parameters for Session Tracking Not Setting a Session Timeout
Not Using the HttpOnly Flag Using URL Parameters for Session Tracking Not Setting a Session Timeout

Not Setting a Session Timeout

Not Using the HttpOnly Flag Using URL Parameters for Session Tracking Not Setting a Session Timeout
Not Using the HttpOnly Flag Using URL Parameters for Session Tracking Not Setting a Session Timeout
Not Using the HttpOnly Flag Using URL Parameters for Session Tracking Not Setting a Session Timeout

© 2013 Raible Designs

OWASP Top 10 for 2010
OWASP Top 10 for 2010
OWASP Top 10 for 2010 1. Injection Cross-Site Scripting (XSS) Broken Authentication and Session Management Insecure
OWASP Top 10 for 2010 1. Injection Cross-Site Scripting (XSS) Broken Authentication and Session Management Insecure

1. Injection

Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
OWASP Top 10 for 2010 1. Injection Cross-Site Scripting (XSS) Broken Authentication and Session Management Insecure

Broken Authentication and Session Management

Scripting (XSS) Broken Authentication and Session Management Insecure Direct Object References Cross-Site Request Forgery
Insecure Direct Object References
Insecure Direct Object References
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF)

© 2013 Raible Designs

and Session Management Insecure Direct Object References Cross-Site Request Forgery (CSRF) © 2013 Raible Designs
OWASP Top 10 for 2010
OWASP Top 10 for 2010
OWASP Top 10 for 2010 Security Misconfiguration Insecure Cryptographic Storage Failure to Restrict URL Access

Security Misconfiguration Insecure Cryptographic Storage Failure to Restrict URL Access

Cryptographic Storage Failure to Restrict URL Access Insufficient Transport Layer Protection 10.Unvalidated
Cryptographic Storage Failure to Restrict URL Access Insufficient Transport Layer Protection 10.Unvalidated
Cryptographic Storage Failure to Restrict URL Access Insufficient Transport Layer Protection 10.Unvalidated
Insufficient Transport Layer Protection
Insufficient Transport Layer Protection
10.Unvalidated Redirects and Forwards
10.Unvalidated Redirects and Forwards

© 2013 Raible Designs

Protect
Protect
[SWAT] Checklist
[SWAT] Checklist
Firewalls
Firewalls
IDS and IDPs
IDS and IDPs
Audits
Audits
Penetration Tests
Penetration Tests
Checklist Firewalls IDS and IDPs Audits Penetration Tests Code Reviews with Static Analysis Tools © 2013
Checklist Firewalls IDS and IDPs Audits Penetration Tests Code Reviews with Static Analysis Tools © 2013

Code Reviews with Static Analysis Tools

Checklist Firewalls IDS and IDPs Audits Penetration Tests Code Reviews with Static Analysis Tools © 2013

© 2013 Raible Designs

© 2013 Raible Designs

© 2013 Raible Designs

Firewalls
Firewalls
Stateless Firewalls
Stateless Firewalls
Stateful Firewalls
Stateful Firewalls
Invented by Nir Zuk at in the mid-90s
Invented by Nir Zuk at
in the mid-90s
Web App Firewalls
Web App Firewalls
Invented by Nir Zuk at in the mid-90s Web App Firewalls Inspired by the 1996 PHF

Inspired by the 1996 PHF CGI exploit

at in the mid-90s Web App Firewalls Inspired by the 1996 PHF CGI exploit WAF Market
WAF Market $234m in 2010
WAF Market $234m in 2010
at in the mid-90s Web App Firewalls Inspired by the 1996 PHF CGI exploit WAF Market

© 2013 Raible Designs

Gartner on Firewalls
Gartner on Firewalls
Gartner on Firewalls © 2013 Raible Designs

© 2013 Raible Designs

Content Security Policy
Content Security Policy
An HTTP Header with whitelist of trusted content
An HTTP Header with whitelist of trusted content
Policy An HTTP Header with whitelist of trusted content Bans inline <script> tags, inline event handlers

Bans inline <script> tags, inline event handlers and javascript: URLs

tags, inline event handlers and javascript: URLs No eval(), new Function(), setTimeout or setInterval
No eval(), new Function(), setTimeout or setInterval
No eval(), new Function(), setTimeout or setInterval
URLs No eval(), new Function(), setTimeout or setInterval Supported in Chrome 16+, Safari 6+, and Firefox

Supported in Chrome 16+, Safari 6+, and Firefox 4+, and (very) limited in IE 10

or setInterval Supported in Chrome 16+, Safari 6+, and Firefox 4+, and (very) limited in IE

© 2013 Raible Designs

Content Security Policy
Content Security Policy
Content Security Policy © 2013 Raible Designs

© 2013 Raible Designs

Relax
Relax
Relax Web App Firewalls : Imperva, F5, Breach Open Source : WebNight and ModSecurity Stateful Firewalls

Web App Firewalls: Imperva, F5, Breach Open Source: WebNight and ModSecurity

Imperva, F5, Breach Open Source : WebNight and ModSecurity Stateful Firewalls : Juniper, Check Point, Palo
Imperva, F5, Breach Open Source : WebNight and ModSecurity Stateful Firewalls : Juniper, Check Point, Palo
Imperva, F5, Breach Open Source : WebNight and ModSecurity Stateful Firewalls : Juniper, Check Point, Palo
Imperva, F5, Breach Open Source : WebNight and ModSecurity Stateful Firewalls : Juniper, Check Point, Palo

Stateful Firewalls: Juniper, Check Point, Palo Alto

IDP/IDS: Sourcefire, TippingPoint
IDP/IDS: Sourcefire, TippingPoint
Open Source: Snort Audits: ENY, PWC, Grant Thornton
Open Source: Snort
Audits: ENY, PWC, Grant Thornton
Open Source: Snort Audits: ENY, PWC, Grant Thornton Pen Testing : WhiteHat, Trustwave, Electric Alchemy Open

Pen Testing: WhiteHat, Trustwave, Electric Alchemy Open Source: OWASP ZAP

: WhiteHat, Trustwave, Electric Alchemy Open Source : OWASP ZAP Static Analysis: Fortify, Veracode © 2013
: WhiteHat, Trustwave, Electric Alchemy Open Source : OWASP ZAP Static Analysis: Fortify, Veracode © 2013
Static Analysis: Fortify, Veracode
Static Analysis: Fortify, Veracode

© 2013 Raible Designs

Remember
Remember
Remember “Security is a quality, and as all other quality, it is important that we build

“Security is a quality, and as all other quality, it is important that we build it into our apps while we are developing them, not patching it on afterwards like many people do.” --

them, not patching it on afterwards like many people do.” -- From a comment on my
them, not patching it on afterwards like many people do.” -- From a comment on my
From a comment on my blog:
From a comment on my blog:

© 2013 Raible Designs

Action!
Action!
Action! Use OWASP and Open Source Security Frameworks Don’t be afraid to contribute! Follow the Security

Use OWASP and Open Source Security Frameworks Don’t be afraid to contribute!

Source Security Frameworks Don’t be afraid to contribute! Follow the Security Street Fighter Blog Use OWASP
Source Security Frameworks Don’t be afraid to contribute! Follow the Security Street Fighter Blog Use OWASP
Follow the Security Street Fighter Blog
Follow the Security Street Fighter Blog
to contribute! Follow the Security Street Fighter Blog Use OWASP ZAP to pentest your apps Don’t
Use OWASP ZAP to pentest your apps
Use OWASP ZAP to pentest your apps
Don’t be afraid of security!
Don’t be afraid of security!

© 2013 Raible Designs

Additional Reading
Additional Reading
Securing a JavaScript-based Web Application
Securing a JavaScript-based Web Application
Reading Securing a JavaScript-based Web Application Michal Zalewski’s “The Tangled Web” © 2013 Raible
Michal Zalewski’s “The Tangled Web”
Michal Zalewski’s “The Tangled Web”
Reading Securing a JavaScript-based Web Application Michal Zalewski’s “The Tangled Web” © 2013 Raible Designs

© 2013 Raible Designs

Reading Securing a JavaScript-based Web Application Michal Zalewski’s “The Tangled Web” © 2013 Raible Designs
Additional Resources
Additional Resources
OWASP Denver
OWASP Denver
Additional Resources OWASP Denver Next Meeting: Wednesday, February 20, 6-8pm Front Range OWASP Security Conference
Next Meeting: Wednesday, February 20, 6-8pm Front Range OWASP Security Conference March 28 - 29
Next Meeting: Wednesday, February 20, 6-8pm
Front Range OWASP Security Conference
March 28 - 29 in Denver
David Campbell of Electric Alchemy
David Campbell of Electric Alchemy
Front Range OWASP Security Conference March 28 - 29 in Denver David Campbell of Electric Alchemy

© 2013 Raible Designs

Front Range OWASP Security Conference March 28 - 29 in Denver David Campbell of Electric Alchemy
Questions?
Questions?
Contact Information
Contact Information
Questions? Contact Information My Presentations © 2013 Raible Designs
My Presentations
My Presentations
Questions? Contact Information My Presentations © 2013 Raible Designs

© 2013 Raible Designs

Questions? Contact Information My Presentations © 2013 Raible Designs