Sign Hawaii Banking Permission Slip Secure

Industry sign banking hawaii permission slip secure

hey everybody thank you for being here at NDC Copenhagen we're gonna talk about application security today and how to address it from a standard point of view we're gonna look at a SBS standard for point 0.1 we're gonna talk about why it's important why it matters we're gonna talk about why it's changed and we're gonna look at ways that you can use it effectively in software development to help to help you do security better right who here is God who here is doing software development who can say I got security all figured out no problem we're all we're all set on security here at the software company and that's nobody because it's still an emerging topic that everybody struggles with no one's innocent here right kind of like the corona virus you know it's like it's the great equalizer information security my name is Jim I'm gonna be your speaker for this section I'm a former board member the OS foundation I work on the several OS projects like the cheat sheet series and the standard the ASVs standard and one of them I'm one of the authors of it then coding for a long time I live in Hawaii I live in Virginia right now I'm in Virginia stored up in rural Virginia with a lot of food supplies guns and ammo and the hope that we don't degenerate into rioting and looting across the world we'll see we'll see and I hope no I really hope that you don't lose any loved ones but this is good a lot of people are gonna get hurt by this and the song of the day is don't fear the reaper it's gonna hit us all no one gets out of this alive alright that side let's talk about security enough about the news of the day look at this email address this is a valid email address that is gonna be it's gonna be accepted by your validation layer it's a legal email address you can email me at but it's a sequel injection payload so the point is even valid data can cause injection I digress here's the OWASP top 10 these are the top security risks it's a publication that a wasp pushes out every three years or so it's a very famous list these are the top ten security issues of the day and a lot of standards cite this top 10 list in particular the payment card industry's data security standard they cite the OWASP top 10 here as part of that standard I kind of think this is a bad idea anyways these are some of the new categories they're talking about proper logging a very specific issue like xxe and xml security issue and insecurity serialization what are the newer topics in the world of web security the point is this is not an organized list it's ten kind of random topics some are high-level topics like authentication some are specific like xxe you don't want to base a security program off this this o wass top 10 you want to read it once you want to enjoy it once and use it to learn but then go to something else and let let's take a step back here when we look at an application security program there's a lot of practices that security professionals in my industry will talk about and my industry is application security it's the security of building secure software and testing software for security there's all these things we recommend from security unit testing DevOps automation of security testing planning sprint assistance for security all these I'm gonna hammer in on this whole idea of a security checklist this is how AAS ves started and ASVs stands for the application security verification standard this is a documentation project from the OWASP open source nonprofit foundation when this project first started as a basic checklist of some of the top things you can do in terms of requirements for secure development and it was not really meant to be a standard it was just a bunch of leading practices and what this really is is this is the wasds that we're talking about this is web application and API application application security verification standard since this standard was published other sub standards have also been released like the mobile application security verification standard the IOT application security verification standard so we're gonna focus on the web version of ASDs the original version of this standard and by the way the latest version 4.0 point 1 the world the four Oh Virgin this was done in github and we took open comments from the world to to triage and to clarify and to fix the requirement list that we built for this standard so it wasn't done in a closed room you know with a secret cabal it was done out in the open where community comments were welcomed and any standard that doesn't do that buff ANBU do that too standard I would say to Italian all right so this is the standard this is the essential part of the standard a list of requirements each requirement is going to be granular like look at this verify that the user passwords are at least 12 characters in length that's our minimum rec recommendation for password length and every app should do this level one two and three level one says love level so at level one two and three the lowest level says every app to do this a level above that is for like apps but sensitive data and the highest level is like infrastructure apps apps let's shoot missiles or stuff like that really high-end infrastructure or billions of Records so three levels of severity to consider for these requirements and and you lose involved a lot of people right I'm one of the authors that was originally worked on by Jeff Williams Dave Ricker's and Mike Barsky were some of the original authors of it this is the current team working on the latest couple of versions Andrew Vander stock is the spiritual leader and he's really the main thrust here the annual customer twitter out to the beginning a great helper i've been working on the last two versions josh Grossman and Mark in eBay were the three big volunteers who helped the latest version did the majority of the work and lot of reviewers out there like Ron Paris MP Emmer and Adam Claude hill and lots of real smart people jumped in smarter than us to help clarify our requirements this is what makes it great now what we changed in the 4.0 version is to make the actual like artifacts behind the standard more useful so everything's in markdown it's just there's a script that we can use to generate a version of this in any kind of file format so the the raw standard itself is usable by teens so that I think that's important it's comunist 853 compliance that's the that is the digital authentication guideline from the US government and they released a new identity guideline out like last year that was mind-boggling and how awesome it was and well-written it was and you know you don't have to follow our standard you can swap out the authentication requirements for your European standards so I know you have specific standards around banking using digital certificates there's no reason why you can't swap out sections for your own standards also you know we had an IOT section but IOT is not specifically web IOT is its own thing so we ripped out all the IOT requirements that were newly written for 4.0 and instead of adding it to the 4.0 standard we just did a preview appendix chapter so the requirements are there but they're not being mixed in with web these are first different teams should have different requirements based on your architecture we also change your requirements to address for real what a modern web application is full support for things like lambdas and containers a lot more requirements in the world of API since they've taken off more thick more requirements around Dom XSS and jump since javascript clients are are in vogue these days and similar we have those requirements augmented in the latest version we also Maps the requirements to cwe's but let's talk about cwe cwe's it's the common weakness of numeration a list of weaknesses from mitre it's a standard in the world of security and a very important one let's talk about this ASVs the standard that we've written this is about controls for Web Apps and weaknesses are not controls there's no way to make a clean mapping and the mapping doesn't even make sense but we got asked to do it so many times that we just did it to shut people up so we can move on with our lives that's the truth so it's an imperfect mapping it's ugly and not every item has a cwe but we did it check the box that box is checked we did it so what's changed everything we remembered everything from scratch okay this is not exciting but it's important the numbering matters because we aversion one we have requirements a 1 2 & 3 then for version 2 removes a second requirement now we have requirement 1 & 3 & 5 & 6 so after several versions we have requirement 1 3 9 11 a lot of a lot of gaps so a version requirement a ASVs 4 we wipe the slate clean and we and we could we'd wipe the slate clean and renumber and everything from scratch new can pave baby you know like we're seeing right now so each section is reorganized and reordered we got rid of a lot of duplications and l1 is the new minimum we say l1 are the require any requirement flagged as l1 and again this is required this standard is just a list of about 300 or so requirements that's the whole standard that's the guts the guts of this l1 our requirements that every action follow remember every standard every requirement is flagged as l1 l2 or l3 and l1 is every app that's the new minimum all of level one should be testable by your pen testers it's the only level that's easily testable and you should be doing hybrid reviews with the combination of a penitent penetration tester by a security expert and using a variety of scanning tools to augment that work and by the way DevOps is about scanning like a hundred times a day I digress so we also added in the PCI requirements we didn't like to do this it's not super web-centric but it's needed for PCI support because we're trying to help place the OWASP top 10 in pci so we want to make PCI happy so they get rid of the OWASP top 10 out of PCI and use a SBS instead so we included buffer overflows integer and say string operations and other things to ensure PCI compliance within our standard they don't they're not perfect maps to the standard but we made PCI happy and that's a big win um what's gone the mobile chapters removed mobiles out mobile has its own standard than mobile ASVs the iot chapter pushed to the appendix any defense that was one browser or one language only we got rid of it and things that weren't that important that were debatable we got rid of it so we're cleaning house we're cleaning it up so here's the ASVs detail so section i'm not gonna talk about every requirement there's 300 requirements or so so i'm gonna talk about the categories and then we'll finish up here so level so level of category one architecture this is about like the design of your app and more high-level issues um we talked about the need for process like a secure software the moment lifecycle we talked about the need for security review like threat modeling and we talked about the idea just the general requirements that you have to build security in from day one at the design and architectural conception so it's like security is intentional so the thing that you build not something you slap on at the end we don't do this for it's not level 1 it's for level 2 and 3 apps only for high high-risk risky apps high sensitive data and similar level to a category 2 is authentication identity we align this again with NIST 863 except for passwords this says to use 8 character passwords but fungo you like character password we do 12 character passwords at the ASVs that's level 2 so credential life cycle from issuance to retirement we we talked about credential construction protection we talked about new attack attack categories like credential stuffing and how to store a pass Fido and multifactor so it's a modern set of requirements to give developers proper guidance level 3 session management the big change there is we talked about adding jots to your world JSON web tokens JSON web tokens are the main artifacts used for stateless session management when you primarily for stateless api's that's a big departure from web app session management that we had in days gone by so category 4 of the ASDs standard if you just got here hello you're late but if you just got here we're talking about the OWASP application security verification standard a list of security requirements for developers and web development we're looking at the different categories right now because you're late this is kind of going for this covers API access control security which is a bit different than web app security like map and Olaf the mapping to arrest design and and we cover serverless TechEd here as well which is a little different the way we design access control in similar layers level 5 is about like basic data handling you validate you sanitize it you're in code when you're trying to use data when you have data that you have from a user or any variable frankly but primarily users are untrusted data data that the attacker can modify you got to validate it or you have to sanitize it or encode it before you use it depending on what you're doing with it and explaining this is important we also and this is all about user interface security primarily but also issues like injection prevention validate validating URLs to stop server side request forgery and proper configuration for things like - serialization attacks are just not doing it design stuff so major revamp of this section that talks about data handling for user interface stuff like you validate if it's a URL I'm putting into a form tag for the action I want to validate to make sure that URL is not a JavaScript URL or similar if I'm letting the users submit HTML that I'm gonna render for another user like you a WYSIWYG editor I want to run that through an HTML sanitizer that's and if I want to display data exactly like a user typed it in in a web page I want to encode you some kind of escaping there's a quick blip on what those three controls are about story cryptography we the big change there is using modern key management mechanisms and key stores level six error handling we we talked about being careful not to leak sensitive information and errors we talked about proper logging error handling is boring I like it it's important but I'm gonna move on I move on v8 data protection like encryption in transit sensitive data protection around gdpr and California laws and how to properly store data client-side and what the risks are with that like local storage I can hack me some local storage cross-site scripting if I can inject JavaScript into your website I could steal all the data from local storage it's terrible v9 communication security so v8 is data protection more around protecting data at storage so and I slipped up there a bit it's just a data storage security where v9 is communication security mostly most most importantly proper HTTPS Everywhere configured properly category tens about malicious code things like Easter eggs and backdoors and similar that's it's usually a level three issue category 11 business logic you know something as simple as a step abuse attack where suppose you have an e-commerce website where I add items to a shopping cart I check out and my address add my payment information and then complete the checkout if I can skip by hard-coding the URL and add to my shopping cart then skip to the checkout step and just check out without paying that's an abuse of business logic common problems hard to find files and resources we're fixing things like remote file inclusion primarily and in and out and file upload download security and just file i/o as we mix that with user requests and user input and get real tricky we cover all that in this section level 13 category 13 is a complete revamp right it's a complete revamp API security addressing restful stuff addressing new things like graph QL it's a whole party v14 configuration primarily to address the cloud and and modern deployment mechanisms like and it's the same old stuff it's just a different way to configure it some really unique things you got to get right on pushing stuff to the cloud and very often we see less professional administrators and more developers managing these things which is good an bad bad if you know the skills good in in that we have less we have more power we give to the developer to get stuff done so all the configuration stuff is there now our recommendation is again you don't just use ASVs out-of-the-box what I recommend you do is you fork it specific for your company let developers make the final decisions around what requirements you're going to keep so they own it so they do it and you can modify your fork of the standard over time as you want to augment the work that you're doing or if you're go to use ASVs out-of-the-box as is start with level one and for every app and work your way up to level two and level three for for the more sensitive apps within your organization you can it's free you know the 4.0 point one was released last year so it's been around for a year already there's wiki and github if you're opinionated and don't like our comment I don't like our requirements I applaud your intellect please go to github and give us comments under the 4.0 point one branch it's all it's on the wiki all our contact informations on the wiki and if you have questions for me I'm Jim at a loss org I'm also at gym at mana code calm my day job I'm really happy you're here at NDC Copenhagen to learn more about software development I hope you download and read and review all of the ASVs requirements to teach you more about application security while you're going through it if you have any questions and one of the authors just drop me a note I'm always happy to answer questions you're great you're awesome I'm done with this talk you have a wonderful day and don't forget don't fear the reaper I weep for those we lose I do and it may hit you but you know just keep charging learn about security learn more about development master the art while you're hidden away at home master the art of software engineering even more I have a great time out there thank you so much everybody you