Developing secure software: how to implement the OWASP top 10 Proactive Controls

It ensures that an attacker cannot simply capture the session ID from web browser traffic. Additionally, the Secure cookie attribute must be used to ensure the session ID is only exchanged through an encrypted channel. The usage of an encrypted communication channel also protects the session against some session fixation attacks where the attacker is able to intercept and manipulate the web traffic to inject (or fix) the session ID on the victim’s web browser (see here and here). Regarding the user enumeration itself, protection against brute-force attacks is also effective because it prevents an attacker from applying the enumeration at scale.

Talk to a seasoned AppSec professional, and they will tell you about stuff they find and trends they see that aren’t yet in the data. It takes time for people to develop testing methodologies for certain vulnerability types and then more time for those tests to be automated and run against a large population of applications. Everything we find is looking back in the past and might be missing trends from the last year, which are not present in the data. Previous data collection efforts were focused on a prescribed subset of approximately 30 CWEs with a field asking for additional findings. We learned that organizations would primarily focus on just those 30 CWEs and rarely add additional CWEs that they saw.

Access Control

The open-source ModSecurity WAF, plus the OWASP Core Rule Set, provide capabilities to detect and apply security cookie attributes, countermeasures against session fixation attacks, and session tracking features to enforce sticky sessions. After a specific amount of time since the session was initially created, the web application can regenerate a new ID for the user session and try to set it, or renew it, on the client. The previous session ID value would still be valid for some time, accommodating a safety interval, before the client is aware of the new ID and starts using it. At that time, when the client switches to the new ID inside the current session, the application invalidates the previous ID. All sessions should implement an absolute timeout, regardless of session activity. This timeout defines the maximum amount of time a session can be active, closing and invalidating the session upon the defined absolute period since the given session was initially created by the web application.

Discretionary access controls are based on the identity and
need-to-know of subjects and/or the groups to which they belong. They
are discretionary in the sense that a subject with certain access
permissions is capable of passing on that access, directly or
indirectly, to other subjects. They execute using privileged accounts such as root in UNIX
environment or LOCALSYSTEM in Windows environments. When web and
application servers run as root or LOCALSYSTEM, the processes and the
code on top of these processes run with all of the rights of these
users. Malicious code will execute with the authority of the privileged
account, thus increasing the possible damage from an exploit. Web and
application servers should be executed under accounts with minimal
permissions.

Access Control Models:

They are written out in procedures that specify the intended operation of controls. A given procedure may address multiple controls and a given control may require more than one procedure to fully implement. It lists security requirements owasp controls such as authentication protocols, session management, and cryptographic security standards. Most importantly, the ASVS provides a phased approach to gradually implement security requirements as you are making your first steps.

Another example would be
an Internet Banking application that checks to see if a user is allowed
to transfer money, but does not validate that the “from account” is one
of the user’s accounts. The J2EE and .NET platforms provide developers the ability to limit the
capabilities of code running inside of their virtual machines. Often web
applications run in environments with AllPermission (Java) or FullTrust
(.NET) turned on.

Examples of Access Controls in Software:

While simple unit and integrations test can never replace manual testing performed by a skilled hacker, they are an important tool for detecting and correcting security issues quickly and with far less resources than manual testing. Even when no access control rules are explicitly matched, the application cannot remain neutral when an entity is requesting access to a particular resource. The application must always make a decision, whether implicitly or explicitly, to either deny or permit the requested access. Logic errors and other mistakes relating to access control may happen, especially when access requirements are complex; consequently, one should not rely entirely on explicitly defined rules for matching all possible requests. For security purposes an application should be configured to deny access by default. From the perspective of end-users of a system, access control should be
mandatory whenever possible, as opposed to discretionary.

In this session, Jim walked us through the list of OWASP Top 10 proactive controls and how to incorporate them into our web applications. The proactive controls document, written by Manico himself, along with Katy Anton and Jim Bird,  provides a security overview for developers wanting to jump into web security, understand the different layers of security risks, and how to protect against them. Lastly, the AI Exchange discusses the risk of leaking sensitive input data at runtime.