A Sneak Peek at the OWASP Enterprise Security API
description
Transcript of A Sneak Peek at the OWASP Enterprise Security API
Copyright © 2007 - The OWASP FoundationThis work is available under the Creative Commons SA 2.5 license
The OWASP Foundation
The OpenWeb Application Security Project
http://www.owasp.org
A Sneak Peek at the OWASP Enterprise Security API
Jeff WilliamsOWASP Foundation [email protected]
Aspect Security [email protected]
The Challenge…
Developers need to rip, mix, and burn authentication, access control, input validation, encoding, encryption, logging, error handling, etc…
Log4j, Reform, ACEGI, Struts, Stinger, Spring, Validator, Jasypt, JCE, JAAS, Cryptix, BouncyCastle, Anti-XSS, xml-dsig, xml-enc, lots lots more….
2
Drivers
I’m tired of security “researchers”
Most developers shouldn’t build security controlsWhen to use a controlHow to use a controlWhy to use a control (maybe) All the security guidelines, courses, tutorials,
websites, books, etc… are all mixed up because everyone builds their own controls
Few organizations have a complete security API
3
Design
Only include methods that…Are useful in a large percentage of applicationsFocus on the most risky areas
Designed to be simple to understand and use Interfaces with concrete reference implementation Full documentation and usage examples
Same basic API across common platforms Java EE, .NET, PHP, others?
4
Strawman
5
Preliminary
Customizing
ESAPI is an APIWrap existing libraries and servicesExtend and customize ESAPIFill in gaps with reference implementation
Easy to retrofit to existing applications
6
Project Plan and Status
7
2002 – Start Collecting
9/07 – Sneak Peek
Quality
8
Authenticator
Key MethodscreateUser(accountName, pass1, pass2)generateStrongPassword()getCurrentUser() login(request, response)verifyAccountNameStrength(acctName)verifyPasswordStrength(newPass, oldPass)
Reference ImplementationUse threadlocal variable to store current UserAutomatically changes sessionid on login and logout
9
User
Key MethodschangePassword(old, new1, new2) disable() enable() getAccountName() getScreenName() getCSRFToken()getLastFailedLoginTime() getLastLoginTime()getRoles() isInRole(role) isEnabled() isExpired() isLocked() loginWithPassword(password, request, response) logout(request, response) resetCSRFToken() resetPassword()verifyCSRFToken(java.lang.String token)
10
AccessController
Key Methods isAuthorizedForData(key) isAuthorizedForFile(filepath) isAuthorizedForFunction(functionName) isAuthorizedForService(serviceName) isAuthorizedForURL(url)
Reference Implementation (not required) /* | any | deny | default deny rule /admin/* | admin | allow | admin access to /admin
11
AccessReferenceMap
Key MethodsgetDirectReference(indirectReference)getIndirectReference(directReference) iterator()update(directReferences)
Examplehttp://www.ibank.com?file=report123.xlshttp://www.ibank.com?file=a3nr38
12
Validator
Key Methodscanonicalize(input) isValidFileUpload(filepath, filename, content) isValidCreditCard(input) isValid***** (input) isValidRedirectLocation(location) isValidSafeHTML(input)safeReadLine(inputStream, maxchars)
Canonicalization is really important13
Encoder
14
HTTPUtilities
Key MethodschangeSessionIdentifier(request) formatHttpRequestForLog(request, sensitiveList)getFileUploads(request, tempDir, finalDir)killAllCookies(request, response)killCookie(name, request, response)sendRedirect(locationsetCookie(name, value, age, domain, path, response) setNoCacheHeaders(response)
Safer ways of dealing with HTTP, uses HTTPOnly15
Encryptor
Key Methodsdecrypt(ciphertext) encrypt(plaintext)hash(plaintext, salt) loadCertificateFromFile(file)getTimeStamp()seal(data, expiration) verifySeal(seal, data) sign(data) verifySignature(signature, data)
Simple master key in configuration Minimal certificate support
16
EncryptedProperties
Key MethodsgetProperty(key)setProperty(key, value) keySet() load(inputStream) store(outputStream, comments)
Simple protected storage for configuration data
17
Randomizer
Key MethodsgetRandomInteger(min, max) getRandomReal(min, max) getRandomString(length, characterSet)
Several pre-defined character setsLowers, uppers, digits, specials, letters,
alphanumerics, password, etc…
18
Exception Handling
EnterpriseSecurityExceptionAccessControlExceptionAuthenticationExceptionAvailabilityExceptionCertificateExceptionEncryptionExceptionExecutorException IntrusionExceptionValidationException
Allows a sensible security exception framework
19
Logger
Key MethodsgetLogger(applicationName,moduleName) logCritical(type, message, throwable) logDebug(type, message, throwable) logError(type, message, throwable) logSuccess(type, message, throwable) logTrace(type, message, throwable) logWarning(type, message, throwable)
All EnterpriseSecurityExceptions are automatically logged
20
IntrusionDetector
Key MethodsaddException(exception) createQuota(exception, limit)
Current PlanEnterpriseSecurityExceptions are automatically
sent to IntrusionDetectorCan set a quota for any exceptionDetects exceeding quota in a specified time
period
21
OWASP Top Ten Coverage
22
Closing Thoughts
I have learned an amazing amount (I thought I knew)
An ESAPI is a key part of a balanced breakfast Integrated API has huge benefits over separate libraries
Secondary benefitsMay help static analysis do betterEnables security upgrades across applicationsSimplifies developer training
Next year – experiences moving to ESAPI
23