Add to Watchlist

OWASP Security knowledge Framework


Citation of segment
Embed Code
Purchasing a DVD Cite video

Formal Metadata

Title OWASP Security knowledge Framework
Subtitle Survival is not mandatory
Title of Series Hacktivity 2015
Part Number 19
Number of Parts 29
Author Cate, Ten Glenn
License CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
DOI 10.5446/18839
Publisher Hacktivity
Release Date 2015
Language English

Content Metadata

Subject Area Computer Science
Abstract We will go trough the aviation industrie to see how they work and how they deal with problems they encounter. Then we show how developers can solve problems using the same methodology. This presentation will show to accomplish the same in the Software Development Life Cycle of your applications in a DevOpS environment where multiple deployments are done in a day and where security is important.

Related Material

so I you really happy to be here and there as well as explain more and then use the aviation as a comparison to the level of security offered development and so yes survival is not mandatory and yet the air force on his departure thing are you own book so later on in the end we will come back to this question and then you have dive into it so you have to let's see where my and let the cat most secure do that you refer lists and also the altering together with my brother of a loss of security knowledge framework and well you're some coordinates if you want to contact of have questions so yeah I want to start with airplanes I I mean I personally really scared when I 1st went into an airplane I mean you give out to control and again it is really a false name of traveling right
it's it's it's also is we call this using the latest technology has altered by law that's a lot of cool technology in their and monitoring of the communication and the and my opinion there are very reliable like if you take a bite or go walking
and there's a higher education you would die right half and
so yeah I want to dive into the all aviation airplanes and to see how they handle well problems
how they deal with a risk and and I think it was a really good uh comparison to the whole software development the part and security and so in the airplane and aviation world you have a lot of training of course training is essential when creating new pilots and you know teach them all that's all the things and as you can see they have to know a lot of things before even then start right the the uh instrumentations the automation and they're all this stuff so training takes a long time and it's really the profession right if this part of the whole uh at the end of the development cycle but the whole cycle of the irradiation and getting the pilots to learn their experience in the things they should know and so and the
other thing is checklist they use a lot of checklists before they land before go eject everything because you have don't want to have airplane drop by the 15 years guy or lose
the airplane that these possibilities of dollars and all and there's also people in their so hey uh let's check JET JET so checklists are really important 40 aviation prior pilots and also you have a lot of manual so I mean when there is a critic uh situation they can grab the manual go to this specific point in there and have some guidance on the issue of how to solve it if the engine fills what is the next procedure what should we do right so also manuals are part of the whole flow of the aviation very important then of course you have testing they test everything in very in depth and diffuse right really check like use would be at the this to be a matter of how strong is it well how many Barton can resist rights and so all the parts of that airplane really tested in that like you see here in the in the picture here you see and the pond water into the engine because yes and there is a use case when you're in the sky and there's a big storm and the engines shouldn't you know drop out or fail or because of their the amount of water being pumped into the engine so in here you see being tested properly to see and if it's handled correctly and so they they do a lot of testing like create critical individual components in certain conditions they're really rare right and manual testing of course and in years you will ultimately gets the so the best thing of all this stuff all the components and how they work together are really important and also I think this is a very important part sharing information so the airline companies when they found something and it's really an issue like possible to let the airplane crash or you know they they immediately send this information around also the other aviation's an airplane manufacturing to see if this problem also is in there right they're really have a close connection together and yet you learn from their mistakes and trying to share this knowledge to the other ones so that they can keep their assets safe and keep our lysate safe right not that in the plane crash so in the end I see this as a all of all this is for the good of what that protecting last for protecting their airplanes protecting the people and I really like this idea this this open mindedness storage each other helping because yes it's a win-win for everybody in the airplane keeps in right and so now I want to make this step to the software development world and so I want to start with that's how important it is to do security I mean last year this year and I'm around 45 million web applications got hacks and these are only this step that that that the metrics we know of right so 545 million that uh were open about it like Amy got had so we don't even see the rest that's that reported right so and also a lot of sense if information is uh well correlated to the airplane industry lots of people are addressed and and also criminals build really better in IT and and hectic you know and I see i t is still behind so he added that the by the says that those who fail to learn from history are forced to repeat past and well this obvious if I had to look for a name which only after we have to learned we have to adopt we have to share knowledge like the aviation industry is doing so then I come to the point where the sharing knowledge sharing knowledge I see is and the sulfur security world a lost almost general already a two-dimensional below it is the opening web applications secured profit worldwide nonprofit charitable organization really focus on proving security helping developers helping the world to do security right and so it is really a knowledge sharing platforms selection at work for everybody is interested in doing security proper and and you know want to have guidance would and so again I like the it is like doing the aviation part sharing the knowledge is a win-win situation for everybody and also use checklists like we see in aviation industry so a has the application security verification standards it's a worldwide use checklists is already like 5 6 years old we're now at a revision of 3 . 0 and that this is gonna be released like and yesterday while OK so yesterday the new version of the checklist came out like this and this is really worldwide or already except that uh and it's all about securing web applications in debt um yes of course because of physical laws for more information And so what is the RCS is the verification standard and another only that you can also use it as a security requirements depending on what type of application want to defend you can say OK this security requirement can be level 1 for a really easy simple applications or a level 3 really critical applications and depending on what level you choose the different type of security controls will be in there and so what does it mean if you don't have a security requirements as well and my honest opinion can only lead to 1 thing In this case in the aviation it it you know an airplane can crash right I mean the only question is when if we don't deal with security and we don't have security requirements this is reality people lies are addressed so not to the good part training also of course has a lot of training capabilities and like you said I am the author of 2 security knowledge framework is really a tool intended to help and guide developers and train them it is fully open and it is all about creating web applications security by by design and we also make use of the ACS as pose development stage and and again you know also we we tried to map and learn from the aviation I mean I have really safe good feeling when I get into an airplane and I know it now I get there I get from a to z and aa land safely so training in here is also very important and now I want to talk a little bit about the security knowledge frame so in the situated knowledge framework we have uh multiple core functionality and like the pre-development phase both development phase the security knowledge framework as a reference for looking up things because what we find out when you are in desperate and you want to have some guidance on specific how to do or implement certain Bible functionality it's still hard to have found find a really good place where there is an authority and you can't trust or you know it's validated which is there and it was really hard because and take for example call-center press forgery as if you go it you get tons of examples and all of those tons of examples only like 3 or 4 are really good they're really security by design thought about it we didn't miss any implementation and out because they thought of it very well if you work in lucky choose 1 of the others that you had you you implemented the cross-eyed against forgery so disputed knowledge framework want to address this issue you want to know created global place where you can look up the information get guidance and also as a place of authority right because it's transparent this open-source everybody can we view and it will make the you know contributions to and and we also have the security code examples and did those are really intended to help the developer owner really implementation level and in the code examples are not meant to base it all about getting the right mind set to and powered a developer to create defensible web applications that are really secure by design and and with the security code examples we try to give more guidance in depth about the whole mind-set and that developers should have right and so now I want to have a small fuel and look at the security knowledge framework itself and the security knowledge is basically a web application that you can um in on your local machine if you wouldn't want that and you can also spin it up as a surface in such a company and use like that and so that means for
peer that's the Open day so
everybody can have a move everybody can inject uh we we also have that so somebody now size inject the application it will go a lot that 1 has so please don't have an so basically this is the landing page of the security military this application you can also run like this said before as a service or local on the machine of the developer and this is the landing page um and as you can see we have a certain type of things so I will want to start with
the knowledge base the knowledge base is basically what all the other things are built around it so the knowledge base are like almost more than 200 items that you should take into consideration or implemented in Europe well maybe critical at application so as you can see here it's very an extensive and a really big list so if you have a critical that application and you know that really is a critical you should implement all those checklist items but have a look how many adopt so and again so the whole idea of the knowledge base is to have a central place of reference where you can look something up so in here you can just say I want to know something about that loading and then you get to follow a blood injections so the knowledge base is basically explaining what the attack factories all of these items so what can and that you when you have followed the injections and you can see we don't bother and showing how to develop a can head or do this now we were just creating awareness and mind-set and also after that 1 what when we show what the impact factories we also have a solution and in the solution we we want to guide the developer and tell him what are all the possibilities to really mitigate and you know stop this and type of that vector and these knowledge knowledge-based items are down also using the pre-development phase and the post development phase but I will show you that in a bit and then we have like I said before
uh the code examples we do have like PHP and looking at examples were working on the Python and Java examples and and here we can have again uh a more
in-depth fuel and how to approach this type of functionality so for example this uh code example it's about speech followed below at each the fault levels can be done in like 3 or 4 lines of code then you have the functionality and then you have the problem but if you don't properly build this functionality by an attacker can easily on your server but loading his own code resonates executed and yet you belong to serve and so in here we have the code examples where we really want to guide to develop implementation level and create the right mind set to how to approach so for example in here we we started vegetation class we started looking class they rejected the image we selected low there then we have well we tell about what do we check so we do input validation and again input validation is really important um because those matrix we can use later on in the application to make the application and make decisions do pro active counter measurements for all that type of stuff and then we continue after you validation than we do and handle the whole functionality but before we do that we don't look that we gonna do this so sometimes you have an application that doesn't action and it does the action after action and does a lot of the whole thing that that action but what would happen if the attacker did a successful attack then it probably never reached the logging functionality and you wouldn't know that there's something wrong with somebody tried to attack you and so also in here we have I don't know it's very visible but so the common sense said a counter account and it's really reuse session must be terminated after 3 sessions terminations user account should be blocked inside threat level will lead to immediately session termination so when you have really critical functionality you need want to punish and user you want to use the validation increase the counter and saying you're doing that stuff move so here is a good example how you can use your well-being and the the audience to prevent and people at the counter measurements and well then we go further and we do the location of the checksum correct we do the load you the type checking and when it successfully lot that also right and and then we continue so as you can see it's really about getting the right mind set on how the developer should approach
and yeah and like I said before we also have affordable
that and so also here you can have a look and so
have basically that are the reference spot right if you want to have a specific question or want to have on the spot information about a certain subject you can use that knowledge base already code examples to look it up and but that's not the only thing the security knowledge framework for we also have the ability to create
projects um and in this project you can see I
already created 1 and we have the ability to use the pre-development functionality or deposed development functionality in the pre-development functionality that is
basically what a developer and I would use when he's in this friend or when he's thinking that use cases so you have to develop a new type of functionality and in here you can put it into it so even before you write a single line of code you get awareness by using the development to so for example I can say here and I work alone like Sprint do and I'm gonna have a motor functionality so now I can select multiple types of functions and basically is the technology stack sort of functionality developers you know common and is often being used so in here I can say well we're going to do something with forums we gonna do something with the upload um let's see where it is of the UK father bloat well we our loading so maybe it's also nice to you the file download so now we can add those type of
technology and functionality to this pre-development phase and now we can say OK this is a type
of functionality we want to deliver for the next release there we can click here to do and if you do result so what happens now is to secure in the knowledge framework made a poor correlation with this type of functionality to the knowledge base item in dispute knowledge framework so for example the following quote what what type of attack vectors do you have there well the following bloke injections and again you see the whole knowledgebase item in here so before developer starts running code already aware of that that vectors that are lurking around the corner for and so for the file download you have to reflect reflective download the file download injections same for forms you have this sort of better and you cannot only do and say like 0 yeah you have to do this for a no if there are multiple things you have to do to make it really a good form and submission for example symbols as single user input validation controls and other loss you have to get your cross-eyed requests closure forgery tokens open to spec uh the principle of loss privileges you have to use gets less close so if you're doing data mutations you have to do it always by post addressed a good example of the all of the all using gets so so everything is is meeting the browsing the loss except for so these are all type all things a developer should take into consideration and and I like except that it's it's telling him up front so even before you write a single line of code you get this feedback and you can also download the report as adopted square all this information is in and shared among his colleagues or 13 and so basically all the developer has this feedback he goes and built in the functionality that was desire uh when he
created the functionality you want then we got it there
but pose development phase the post development phase is
the place where we created all the code and we want to do this verification if it's all implemented correctly and and for that we are using
a corpus the readable we're using their eyes fiesta all lost applications security verification standards and we don't have uh split up into level 1 and level 1 is very nice if you want to start you don't doing any security at I would recommend starting level on uh but for this example this demo we will have a look at the
uh level 3 and she assistant and then what we will up and so basically this is the RCS project of all lost and as you can see it is a really really extensive checklist for helping developers during a verification so this part only is about out indication verification so as you can see there are a lot of the time yet security controls items in there it's like so all let's say 15 they get the next section it's about session management how to do proper session management I mean if you would miss or not do 1 of those your whole session management design is for if you forget to set for example the heart that they only or secure reflect the cookie we assessing compete you can do all this stuff and I still or an attacker can still export exploited and you know the the the whole purpose of and so access control malicious input handling crypto that error handling and loving data protection communications security the habit to protocol security malicious controls business logic and false resources all those checks are helping you know to do the verification afforded by the developer so how would a developer uses basically it is a an an expert system so it is basically using this the security controls as a question and if the developers as well yeah I thought of it I checked that do by this is all good you can select yes I'm good and if the Council an item and he didn't implemented a verify all apostrophe was not produce positive when it's and so in this case he's like ship the I'm sending the false word through in the e-mail it's like 0 yeah then you know you didn't correctly implement the security controls so you don't know and we also have the information about it gives some more context about the checklist you're verifying so again to help them understand better what is required and basically the developer will do and fill in the whole checklists then safety checklist and what disputing knowledge framework has on now he has correlated all the items that were selected as no and correlated those 2 again base items to help the developer making them aware hate he didn't implement this security control so what is the impact what can that do what RT attack
vectors so for example
the first one verify all possible not affordable often users and the so prevent password leaking that is the security base item this security control is correlated to so again you get a description of what is possible for an attacker and again you get a solution how developers should approaches and I'm at the the goal so here this is determining the level of the RCS itemsets coming from so you also know if his level 1 item or the level 3 like really critical for for high critical applications and yet and this see again this is this can be shared this can be a chat among the team and you know help the develop empowering him with knowledge and get and then make it really aware that that what the possibilities are we don't implement security controls and so basically going those are the type of core functionality when you using this security most framework and what I do personally is the oppose development phase I sit together with their their uh their development team and and really do like an extreme programming approach like get them all in the room and put the year the code on the the beaver on the big screen and really go through each item on the code level and try to well I I tried to challenge themselves but did you thought about this or when I do this you and then we go check duty implementation check all the security controls and will take me like in a day a day and a half 2 really fill in the level 3 years checklists right because it's that extensive and so that's really I in my experience is that it creates a lot of synergy I mean I learned a lot of those developers and also developed by hard so you get this nice interaction of sharing knowledge and you know it really is a nice it gives some nice atmosphere uh
so basically there was a little demo of the future knowledge framework uh and now I want to go into the next level so you know having the student knowledge relative having security requirements and that is basically the 1st step right in the whole software development lifecycle and so you still have to do manual things in the software development lifecycle by example using instituted knowledge framework filling all the questions right now also you wanted to go review if you have critical functionality like a or possibly set whatever you want to do a code review before vise principle of course you want to use static analyzer security tuning right so the the the other 2 detectors checkers and I don't want to know and inverse but so source to link then you have the dynamic version of it so that is for example the almost self quality that's really and dynamic Application security this until it can be run automatically that's true but still you have to manually validate all the findings that will pop up and and of course at the old at the end of the whole thing off the whole security and development cycle you want to do and manual pentose mine expert and why is that because those are the experts like they can then do off on stuff not focusing on such getting along you know the low stuff would really be of false edge stuff so always do by a really X and expert and so of of course we also have a lot of possibilities to automate things and all the things you can automate uh we should do right so uh what what made my life really easy way when developing goal security most framework is having automation continues integration so we can do deploys whenever rely on the multiple times a day and still get the quality of code and you know that we want to deliver so for example we use in our software development life cycle of the security most rare a project itself we use 3 types of continuous integration proving that the first one is prevalent coveralls and scrutinizer to Travis is basically a sort of a Jenkins itself build streets right you what happened is you can look at the trend is up to you get her when get up has to change and will notify prophesy you will see a pick up the new code and tried to run it a as in standing of an instance putting your code there and depending on what you're Travis folly as it will do built to project for 5 still correctly being set up and built all that stuff and then you have to cover roles the controls basically that's happening after the bill after Travis when traversal successful you don't have any simple errors the project is still in the running in a solid then it's time to duty coveralls and coveralls is basically uh getting the metrics from the unit testing and display it in a very nice manner and so the idea is when the developer does a committee and he passes the build on the Treasury's but maybe the chains go then there some type of functionality fills the developer can then see because it's companies integrated after like 1 of many that some of the unit test fails so the percentage of the the whole Goneril middle-aged drops instantly so it is a really good feedback visual loop for development see of I I killed some functionality so I have to really look at my code and where I messed up and then the last part is the scrutinizer ambition to scrutinize is the code quality uh checking tool um so what it does is when the 1st traversal successful when the cover also unit test was successful and then the last part is scrutinizer and what this does is it will analyze the code on quality level so do you have any get and go do you have any duplication code do you have any really complex if else then block uh that has no ending to the complexity but there's also a decreasing the majority in the quality of your post so again with this uh and and got this integration surface when a developer does a committee and you had created slot because dead and or duplication code the great all the project will drop and well that you know now we have 8 so it goes below a you would definitely know and then see the impact of to commit to have done so now I want to also show little with uh about uh yeah the the software development lifecycle I show you were on
the different services so
as in here this is the year the place where the security knowledge so is place and everything is is in here uh so for example all the information in the code examples all that stuff you can just look it up here click here it's it's all a markdown format so that if you want to receive any better security a modified and then we should so for example the movie and it's something here and commit change so what doesn't happen is I I made a modification um Trevor's will notice and pick it up that I didn't know a different
that this is the new code being pushed and as you can see here it already picked it up so trend nasty something strange change their in the gets the project I need to revalidate reject if everything still works so this is basically an automatic process that happens every time I do commit
it also works when somebody's forking this project in their homes space and you also have all those benefits it will due the integration only Trevor when it's correctly being built and will do the unit
testing and when that's gone it will be code quality and it's all independent of the main branch right so really cool that everybody then has this uh support and then compares integration but this would normally take about 2 and a half minutes to rebuild the whole project set up in solids and to see if there's any errors in it is that when all correctly but then creates
metrics for you know that the outcome of unit testing so unit testing produce metrics and those metrics you will see that in here and and again so it
is very obvious if you've just forget or break functionality because the displaying a graphical immediately showing different feedback something's wrong go fix and then of
course had loss then we have 2 years scrutinizer and as you can see here it will give you a great so if somebody again put very bad or not good not good code you will see immediately that he made a mistake or that he didn't have the right quality of code and we can have a look at for for example this 1 with
this has a a d a over and was already known but again so if
you would click on the grades you get the feedback of why it is that getting this great and and again so you have a feedback loop that's for sure that really helps you
develop developer so and when I was talking and now successfully are the project that set up uh test that when all well no it should go there we go to the disco the face and we run the test and then we will see that although the unit testing was correctly then we push the
and the metrics to recover also I will research in
here and in the year when refresher we'll see that
data code example followed by blah blah and we have still the same coverage so OK I didn't miss the rate any functionality and then over here
same again we'll do the skin and willing to major payload so if you go back to remain project over here and you have all those projects status details and this gives me a new 1 instant overview of what the statuses and the quality is all of my project and then when you have a lot of contributors you really want something like this right it also uh yeah help states away time from the developer so he has more time to do security right that's what we want and so again it's a really short feedback loop that is really the yeah valuable of for for developers and so yeah
I like I said we did the whole aviation example made a comparison and so what would happen if if if somebody would say this to the President for his Air Force One airplane like yes Mr. exchange 5 is not mandatory and then I mean come on so that I think we should you know take lessons from the aviation work together if you are experience if you have knowledge about security please help I mean we all in here to you know make it a better world it's all win win for everybody and if you would like to help disputed knowledge framework please do if you want to help out all the rows projects where you have a certain type of experience build up please help I mean uh which we are all in it together I also use the same airplane you're all going use and I'm also gonna use all these services you're gonna use I mean it's all heavily connected right now and and this is the moment to step up or are we end up like the airplane it's coming down right and so they're basically that was the uh Michael art any questions it was a lot of information and it's not only about doing security by design this is also about the whole process about the whole software development lifecycle using integration tools here as well and it would be really nice to have more code examples because you know on the level of the application security verification standard that's really cool but it is more generic way right it's just words and and you still can have the awareness that you know you have to do something made only implementation level there are so many things that go wrong and that's also would you show what you know about and so yeah I would like to have more code examples that that the help and guide developers and empowered and with the knowledge to really know create security applications so yeah if you can write java byte in that some of these help if you're really good at you know going then and written it nicely uh also step in our help uh check your side there are tons of really cool project uh that that are you know having value for example the lost dependency checked it is a static analyzer tool this finding all all TVs in you know use libraries or whatever and every time I run that project and and the tool I found like 154 abilities known sees in you know current project is like a lot so again have a look at at the oldest sites in and maybe disputing which framework and announced that open and help help us help yourself right that works yeah you know how these GO-CCO is a relaxing these also uh you know an open source their visionary he created the secular school for example so we we are all the same lines over there and we really want to add value to the world and make it available for everybody and there
Computer animation


  553 ms - page object


AV-Portal 3.8.0 (dec2fe8b0ce2e718d55d6f23ab68f0b2424a1f3f)