Secure Coding di OWASP - Speaker Deck

Slide 1

Slide 1 text

Secure Coding di OWASP Zaki Akhmad OWASP Indonesia 30 Mei 2012 Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 1 / 26

Slide 2

Slide 2 text

Daftar Isi Daftar Isi 1 Mengapa Perlu Secure Coding 2 OWASP Tools Documentation Conferences Chapters OWASP Indonesia Secure Coding Projects 3 Secure Coding Where is Secure Coding? Some Code Snippets OWASP Secure Coding - Quick Reference Guide 4 Referensi Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 2 / 26

Slide 3

Slide 3 text

Daftar Isi Tentang Zaki Akhmad Surel [email protected] Twitter @zakiakhmad Pendidikan S2 Elektro ITB, 2007-2009 S1 Elektro ITB, 2001-2006 Pekerjaan indocisc Analis Keamanan, 2007 - sekarang PAU-ME Peneliti, 2007-2009 Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 3 / 26

Slide 4

Slide 4 text

Mengapa Perlu Secure Coding Mengapa Perlu Secure Coding? Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 4 / 26

Slide 5

Slide 5 text

Mengapa Perlu Secure Coding Mengapa Perlu Secure Coding? Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 4 / 26

Slide 6

Slide 6 text

Mengapa Perlu Secure Coding Mengapa Perlu Secure Coding? .. . pada praktiknya ﬁrewall, IDS/IPS tidak mampu mencegah serangan SQL injection. Aplikasi sendiri harus aman. Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 4 / 26

Slide 7

Slide 7 text

OWASP OWASP Projects Tools Documentations Conferences Chapters Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 5 / 26

Slide 8

Slide 8 text

OWASP Tools OWASP OWASP Tools ZAP Proxy http://goo.gl/Y6oWy WebGoat http://goo.gl/9RN63 GoatDroid http://goo.gl/k7Rt4 Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 6 / 26

Slide 9

Slide 9 text

OWASP Tools OWASP OWASP Tools ZAP Proxy Web application proxy Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 7 / 26

Slide 10

Slide 10 text

OWASP Tools OWASP OWASP Tools WebGoat Deliberately insecure J2EE web application Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 7 / 26

Slide 11

Slide 11 text

OWASP Tools OWASP OWASP Tools GoatDroid A fully functional training environment for exploring Android mobile application security Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 7 / 26

Slide 12

Slide 12 text

OWASP Documentation Dokumentasi OWASP OWASP Top 10 OWASP Testing Guide OWASP Development Guide OWASP ASVS ... Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 8 / 26

Slide 13

Slide 13 text

OWASP Documentation Dokumentasi OWASP OWASP Top 10 Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 9 / 26

Slide 14

Slide 14 text

OWASP Documentation Dokumentasi OWASP OWASP Testing Guide Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 9 / 26

Slide 15

Slide 15 text

OWASP Documentation Dokumentasi OWASP OWASP Development Guide Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 9 / 26

Slide 16

Slide 16 text

OWASP Documentation Dokumentasi OWASP OWASP ASVS Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 9 / 26

Slide 17

Slide 17 text

OWASP Conferences Konferensi Summit, Konferensi (Asia-Pasiﬁk, Eropa, Amerika Utara, Amerika Latin) Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 10 / 26

Slide 18

Slide 18 text

OWASP Chapters Chapter Singapura, Malaysia, Korea Selatan, Indonesia, Jepang Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 11 / 26

Slide 19

Slide 19 text

OWASP OWASP Indonesia OWASP Indonesia Situs www.owasp.or.id Twitter @owaspid Milis [email protected] Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 12 / 26

Slide 20

Slide 20 text

OWASP OWASP Indonesia OWASP Indonesia Top 10 - 2010 ASVS Proyek Penerjemahan Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 13 / 26

Slide 21

Slide 21 text

OWASP Secure Coding Projects Secure Coding Projects di OWASP Secure Coding Principles Quick Reference Guide ESAPI Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 14 / 26

Slide 22

Slide 22 text

Secure Coding Where is Secure Coding? Where is Secure Coding Software Security, Gary McGraw Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 15 / 26

Slide 23

Slide 23 text

Secure Coding Some Code Snippets Code Snippets 1 ’ . mysql_error () . ’’ ); 9 10 $num = mysql_numrows ($result ); 11 12 $i = 0; 13 14 while ($i < $num) { 15 16 $first = mysql_result ($result ,$i ,"first_name"); 17 $last = mysql_result ($result ,$i ,"last_name"); 18 19 $html .= ’

’;
20 $html .= ’ID: ’ . $id . ’
First name: ’ . $first . ’
Surname: ’ . $last
21 $html .= ’

’; 22 23 $i ++; 24 } 25 } 26 ?> Perhatikan baris ke-5 s/d 8 Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 16 / 26

Slide 24

Slide 24 text

Secure Coding Some Code Snippets Code Snippets 1 ’ . mysql_error () . ’’ ); 21 ... 22 23 24

Damn Vulnerable Web Application (DVWA) is a RandomStorm OpenSource project

25 26 27 28 "; 29 ?> Perhatikan baris ke-17 Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 17 / 26

Slide 25

Slide 25 text

Secure Coding OWASP Secure Coding - Quick Reference Guide OWASP Secure Coding - Quick Reference Guide Overview Technology agnostic coding practices Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 18 / 26

Slide 26

Slide 26 text

Secure Coding OWASP Secure Coding - Quick Reference Guide OWASP Secure Coding - Quick Reference Guide Overview Technology agnostic coding practices What to do, not how to do it Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 18 / 26

Slide 27

Slide 27 text

Slide 28

Slide 28 text

Secure Coding OWASP Secure Coding - Quick Reference Guide OWASP Secure Coding - Quick Reference Guide Overview Technology agnostic coding practices What to do, not how to do it Compact, but comprehensive checklist format Focuses on secure coding requirements, rather than on vulnerabilities and exploits Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 18 / 26

Slide 29

Slide 29 text

Secure Coding OWASP Secure Coding - Quick Reference Guide OWASP Secure Coding - Quick Reference Guide Overview Technology agnostic coding practices What to do, not how to do it Compact, but comprehensive checklist format Focuses on secure coding requirements, rather than on vulnerabilities and exploits Includes a cross-referenced glossary to get developers and security folks talking the same language Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 18 / 26

Slide 30

Slide 30 text

Secure Coding OWASP Secure Coding - Quick Reference Guide OWASP Secure Coding - Quick Reference Guide Daftar Isi 1 Introduction 2 Software Security Principles Overview 3 Secure Coding Practices Checklist 4 Links to Useful Resources 5 Glossary of Important Terminology Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 19 / 26

Slide 31

Slide 31 text

Secure Coding OWASP Secure Coding - Quick Reference Guide OWASP Secure Coding- Quick Reference Guide Penggunaan 1 Sebagai dokumen panduan dalam pengembangan 2 Sebagai dokumen pendukung SDLC 3 Sebagai dokumen requirement dalam outsource 1 Identiﬁkasi security requirement dalam proyek pengembangan 2 Masukkan ke dalam RFP dan Kontrak Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 20 / 26

Slide 32

Slide 32 text

Secure Coding OWASP Secure Coding - Quick Reference Guide OWASP Secure Coding - Quick Reference Guide No Secure Coding Practices Checklist 1 Input Validation 2 Output Encoding 3 Authentication and Password Management 4 Session Management 5 Access Control 6 Cryptographic Practices 7 Error Handling and Logging 8 Data Protection 9 Communication Security 10 System Conﬁguration 11 Database Security 12 File Management 13 Memory Management 14 General Coding Practices Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 21 / 26

Slide 33

Slide 33 text

Secure Coding OWASP Secure Coding - Quick Reference Guide OWASP Secure Coding - Quick Reference Guide Input Validation If any potentially hazardous characters must be allowed as input, be sure that you implement additional controls like output encoding, secure task speciﬁc APIs and accounting for the utilization of that data throughout the application. Examples of common hazardous characters include: < > " ’ ( ) & + \ \’ \"u Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 22 / 26

Slide 34

Slide 34 text

Secure Coding OWASP Secure Coding - Quick Reference Guide OWASP Secure Coding - Quick Reference Guide Authentication and Password Management If your application manages a credential store, it should ensure that only crytograpically strong one-way salted hashes of passwords are stored and that the table/ﬁle that stores the password and keys is write-able only by the application. (Do not use the MD5 algorithm if it can be avoided) Use only HTTP POST request to transmit authentication credentials Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 23 / 26

Slide 35

Slide 35 text

Secure Coding OWASP Secure Coding - Quick Reference Guide OWASP Secure Coding - Quick Reference Guide Error Handling and Logging Do not disclose sensitive information in error responses, including system details, session identiﬁers or account information Use error handlers that do not display debugging or stack trace information Implement generic error messages and use custom error pages Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 24 / 26

Slide 36

Slide 36 text

Referensi Referensi/Bacaan Lanjut Gary McGraw, Software Security Mozilla Secure Coding Guidelines OWASP Secure Coding Practices, Quick Reference Guide Damn Vulnerable Web Application Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 25 / 26

Slide 37

Slide 37 text

Referensi Terima Kasih hatur nuhun, matur suwun, thank you, arigatou, danke, merci beaucoup foto-foto ﬂickr.com/zakiakhmad Zaki Akhmad (OWASP Indonesia) Secure Coding 30 Mei 2012 26 / 26