Securing Java Web Applications

Securing Java Applications

Joseph Konieczka

Sales Engineer

BrixBits

Agenda

• Current State

• OWASP Top 10

• Guidance and Resources

• WebGoat, BodgeIt, ZAP, and Burp Suite

• BrixBits Security Analyzer

• Q & A

Are DEV SEC and OPS teams Communicating?

NGFW, WAF, IPS, and more!

Hackers have time. You don’t!

OWASP

• Open Web Application Security Project (OWASP)– https://www.owasp.org/index.php/Main_Page

• Top 10 Project– https://www.owasp.org/index.php/Top_10

• Cheat Sheets– https://www.owasp.org/index.php/Cheat_Sheets

• Application Security Verification Standard Project– https://www.owasp.org/index.php/Category:OWASP_Appli

cation_Security_Verification_Standard_Project

• Testing Guide– https://www.owasp.org/index.php/OWASP_Testing_Guide

_v4_Table_of_Contents

OWASP Top 10 2013 Application Security Flaws (new version currently under review)

• Injection• Broken Authentication and Session Management• Cross-Site Scripting (XSS)• Insecure Direct Object References• Security Misconfiguration• Sensitive Data Exposure• Missing Function Level Access Control• Cross-Site Request Forgery (CSRF)• Using Components with Known Vulnerabilities• Unvalidated Redirects and Forwards

https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013

INJECTION

Are your JARs vulnerable?

OWASP Java Resources

• https://www.owasp.org/index.php/Java_Security_Resources

• https://www.owasp.org/index.php/Category:OWASP_Java_Project

• https://www.owasp.org/images/8/89/OWASP_Top_10_2007_for_JEE.pdf

• http://www.slideshare.net/MasoudKalali/owasp-top-10-and-java-ee-security-in-practice

Coding Guidelines

• Oracle

– Secure Coding Guidelines• http://www.oracle.com/technetwork/java/seccodeguide-

139067.html

– Java Security Resource Center• http://www.oracle.com/technetwork/java/javase/overview/s

ecurity-2043272.html

• SEI CERT Oracle Coding Standard for Java

– https://www.securecoding.cert.org/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java

Standards

• National Vulnerability Database Common Vulnerability Scoring System [CVSS]

– https://nvd.nist.gov/cvss.cfm

• PCI SSC Data Security Standards Overview

– https://www.pcisecuritystandards.org/security_standards/

– Requirement 6: Develop and maintain secure systems and applications

Books

• Current– Iron-Clad Java: Building Secure Web Applications

by Jim Manico

• Slightly Dated– Java Coding Guidelines: 75 Recommendations for

Reliable and Secure Programs

– CERT Oracle Secure Coding Standard for Java

– Authors of both books: Fred Long, DhruvMohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda

Certification

• GIAC

– Secure Software Programmer-Java (GSSP-JAVA)• http://www.giac.org/certification/secure-software-

programmer-java-gssp-java

• (ISC)2

– CSSLP - Certified Secure Software Lifecycle Professional

• https://www.isc2.org/csslp/default.aspx

Security isn’t a laughing matter

It’s not MAGIC

But sometimes it is Rocket Science

Vulnerable Web Applications

• WebGoat– https://www.owasp.org/index.php/Category:OWASP_

WebGoat_Project

• The BodgeIt Store– https://github.com/psiinon/bodgeit

• Security Shepherd– https://www.owasp.org/index.php/OWASP_Security_

Shepherd

• Directory– https://www.owasp.org/index.php/OWASP_Vulnerabl

e_Web_Applications_Directory_Project/Pages/Offline

YouTube Tutorials

• OWASP ZAP Tutorial Videos

– https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB

• OWASP Appsec Tutorial Series

– https://www.youtube.com/channel/UC5xIEA6L0C2IG3iWgs8M2cA

• Many, many others

Call to action

• Log vulnerabilities (security defects) in your bug tracking system

• Consider certification

• Spread the word

– Other developers

– Systems administrators

– Business teams

TEAMWORK = Awesome!

http://brixbits.com/