Connected API Security Based on OWASP Top 10 Most Critical Security Risks 2017 Riotaro OKADA Asterisk Research Executive Director & Researcher

“Who are you and OWASP?” OK, let me introduce

Riotaro OKADA • F A C • • A A 7 A C A7 A • . AB CF CF • H BC A B , B A F A CF CB

Security for the Connected World?

apps Web service GAFMA Classical 7 tiers of OSI reference model are now Software-oriented.

software software software software software software software Classical 7 tiers of OSI reference model are now Software-oriented.

OWASP OWASP is a global community that drives the visibility and evolution in the safety and security of the world’s software.

“So what? My team provides the secure system.” OK, let us dive into the real

SECURITY TEST!! FIX HIDE… GIVE UP Builders’ Pain Time to market/Deliver features first Lack of AppSec skills and tools Lack of management buy-in and funding defenders' pain Fear of breaking the app when fixing security vulnerabilities Identifying all apps in the portfolio Silos between development, security and the rest of the organization ? When a security test loves a release… Build QA Deliver Payment system development SANS Institute (2015) Q. “Top Challenges for Builders and Defenders ”

ENISA Threat TrendTop15 (2018/1) • Web based attack • Web Apps attack • Denial of Service • Phishing • Spam • Physical loss • Data breaches • …. © Asterisk Research, Inc. 10

Measures? % of Attacks 90% threat 95% 95% apps have serious vulnerabilities NIST • Unmatched defense • Few expert education • Lack of earlier testing • Ad-hoc process • Poor procurement policy • Legacy system lock-in • … Network Applications % of Dollars measures 10% 90%

1.1 Network security 2.2 Configuration standard 2.3 admin console 4.1 secure protocol 6.5 Software Development Good news: PCI DSS Requirements noted OWASP

“OWASP TOP 10 Most Critical Risk”

• Focusing on Risks by software weakness and vulnerabilities • Not only for engineers. For managers, owners. • Common literacy and the first step to Secure Software Development. Most Critical Application Risks • 2003, 2004, 2007, 2010, 2013, • 2017 Nov released • key trends: API, Micro services Published since 2003

CERT Secure Coding Standards OW ASP Top 10 ISO/IEC 27034 NIST 800-53/64 M itre/SANS CW E Top 25 M icrosoft SDL BSIM M Critical Security Controls OpenSAM M SAFECode Other SANS Institute (2015) The most popular reference for application risks

OWASP Top 10 2017 NEW NEW Constant 1, 2

How can we mitigate the risks like these…?

Design Develop Verification Operation 1 6.5 15 100 30 85 20 10 Solution: “SHIFT LEFT” No need to wait for the security incident occurs. design problem Cost to fix implementation problem Cost delivery problem Cost to fix

Software Development Phase Percent Planning & Requirements 53.4% Design 16.5% Develop 14.6% Check-in 4.9% Before release 8.7% Other 1.9% SANS Institute (2015) Shift Left 1. Arrange and hire the red teaming from the planning.

6 F DF 5 9IF H 7FA 7C 2 H C 37F7 H F 4I F C9D 7H7 67A 7H AA 0CEIH 0 EA CH 0 CH H 7C IH CH 97H DC DCHFDA 0 EA CH EEFDEF 7H 99 DCHFDA 3FDH 9H 7H7 0 EA CH 1D C 7C 0CHFI DC H 9H DC 1 F7 5 9IF H .F7 DF 7C 1 8F7F FFDF 7C L9 EH DC 7C A C Shift Left Secret 2. Introduce security controls proactively into Development process

NOTE: One good practice saves the software from various vulnerabilities! KEY POINTS: C1: Early and proper verification for each steps: - Plan, Design, Components, Code, Configuration, UI and… C2-4: Let them focus on Secure Coding Practices C5,6: Authentication and Access Control Design C7: Data Protection C8: Logging and Identification C9: Use Security Frameworks properly C10: Safety by Default https://www.owasp.org/index.php/OWASP_Proactive_Controls?refresh=123#tab=Top_10_Mapping_2016

Secure Coding Practices have not been far away. https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series Authentication Cheat Sheet Ensure all entities go through an appropriate and adequate form of authentication. All the application non-public resource must be protected and shouldn't be bypassed. Session Management Cheat Sheet Use secure session management practices that ensure that authenticated users have a robust and cryptographically secure association with their session. Access Control Cheat Sheet Ensure that a user has access only to the resources they are entitled to. Perform access control checks on the server side on every request. All user-controlled parameters should be validated for entitlements checks. Check if user name or role name is passed through the URL or through hidden variables. Input Validation Cheat Sheet Input validation is performed to minimize malformed data from entering the system. Input Validation is NOT the primary method of preventing XSS, SQL Injection. These are covered in output encoding below. XSS (Cross Site Scripting) Prevention Cheat Sheet Output encoding is the primary method of preventing XSS and injection attacks. Input validation helps minimize the introduction of malformed data, but it is a secondary control. Cross Site Request Forgery Cheat Sheet Ensure that adequate controls are present to prevent against Cross-site Request Forgery, Clickjacking and other 3rd Party Malicious scripts. Transport Protection Cheat Sheet Ensure that all the applications pages are served over cryptographically secure HTTPs protocols. Prohibit the transmission of session cookies over HTTP. Logging Cheat Sheet Ensure that all the security related events are logged. Events include: User log-in (success/fail); view; update; create, delete, file upload/download, attempt to access through URL, URL tampering. Audit logs should be immutable and write only and must be protected from unauthorized access. …

Shift Left Secret: 3. Verify the maturity level of your software dev and ops team. Well educated about threat? Stakeholders know compliances well? Implemented securely? - Both of legacy and new? Well verified? Ops update FL/OSS frequently? Who can report the incidents?

Summary • Software defines the full stack of the connected world. • All payment systems and supply chains are also effected by cyber threats. • OWASP Top 10 2017 focuses on the risk of app and API weaknesses. • The Answer: “Shift Left” • 1. Hire red teaming from the beginning • 2. Introduce “Proactive controls” for development process • 3. Score the providers