@OWASP top 10 ... in English

In order to raise security awareness broadly in our teams (repetition is the mother of learning), I was guided to talk about OWASP 10 to them. Well, reading the cheat sheet, there were stuff in there that I ... just didn't get. So, I consulted our in-house Cloud Security Architect and had him explain things to me, a favour which I thought I'd pay forward. This article, then, will highlight some parts of the top 10 which either was hard to grasp, or where our CSA gave additional insights.

A1 Injection

Is the posted response still in the encoding you sent out (UTF-8)? Here, what we want to protect ourselves from, is for an attacker to force our poor web server to start spewing out logs due to unhandled exceptions, giving the attacker more information. So, before you even start processing the request - does it have the appropriate encoding? If not, it's appropriate to return 400 Bad Request. We can be unapologetically obtuse here, logging the error on the server side, but leaving little information to the client.

Next off, does the input makes sense? For example, does it make sense to set a payment, an invoiced value or time spent to a negative value? Is the total request payload size reasonable for what the user (or attacker) is trying to do? What is reasonable, then? Here, you need to start monitoring early to get a sense for what a "reasonable request" is.


A4 Insecure Direct Object References

Our CSA highlighted two points here: First off, be aware of whom is calling you (authentication) and what that person (or system) is allowed to do (authorization). If the caller is a reporting system (for whatever reason), then it does not make sense that it should call any Set-methods of your overbloated WCF-service (I'm reaching for examples here ... ), even though it could have access to them through a shared WSDL.

Second off, be aware of whom you are calling. Or, in other words, don't automatically trust responses from external APIs. Those APIs could both be compromised, giving you malicious data back, be downright wrong (e.g. due to versioning issues) or have other unforeseen issues. An API call is a seam in your system, which you need to be diligent about - catch metrics, check if the responses make sense and learn as you go.


A7 Missing Function Level Access Control

Keep your different system assets separate. Logs should be written to a physically separate spot from the content files of your web. Your configuration should be on a different spot than your images etc. etc.

Want more? Check out Troy Hunt's OWASP Top 10 for .NET developers. Through there, you can get access to his pluralsight course and where he'll be talking on security next.

If you have access to PluralSight, our CSA recommended these courses in particular:

Comments

Post a Comment

Popular posts from this blog

Auto Mapper and Record Types - will they blend?

Image
TL;DR: Yes, they will. Thank you for your time. 😄 Background At Redgate, engineers enjoy a great benefit in that we get are expected to spend 10% of our time to improve on our craft.  Having suffered this week with manually having to copy a bunch of properties from a domain object to its HTTP representation, I decided to spend this week's 10% time to see if I could answer the following questions: Can use AutoMapper to simplify mapping between two types?  Does it also allow me to map between a regular type and a record type? What about the other way around? Can I use this to reduce the maintenance burden in my product? Mapping between two types [automapper fundamentals] To started and get a basic mapping done, created a .NET 5 ASP.NET Web API project, added the below package references and configured automapper : < PackageReference Include ="AutoMapper" Version ="10.1.1" /> < PackageReference Include ="AutoMapper.Extensions.Microsoft.DependencyInj
Read more

Unit testing your Azure functions - part 2: Queues and Blobs

In our last installment , we discovered how to start unit testing our Azure Functions, looking at the HTTP Trigger (and evaulating the function's HTTP response). This time, we'll take a look at using the QueueTrigger, getting supporting data from table storage and outputting Blobs. Yup, I'm tossing you into the deep end! What are we trying to accomplish? This time, we will test a function that performs some arbitrary business logic on bank accounts. The function responds to a storage queue request, logs each command and ensures that each received command is executed exactly once. Almost like a real-world function, huh? ;-) In the function above, we are introduced to three types that we need to deal with in our unit tests - the IQueryable interface, IAsyncCollector and the CloudBlockBlob concrete type. IQueryable is easy enough to work with: Introducing the Testable Async Collector When I first started exploring this topic, I figured I could just use my favourit
Read more

Testing WCF services with user credentials and binary endpoints

Image
This article discusses the following error messages that you might receive from a WCF service An error occurred when verifying security for the message HTTP/1.1 415 Cannot process the message because the content type 'application/soap+xml;charset=UTF-8;action="..."' was not the expected type 'application/soap+msbin1' When doing analysis work on existing services, invoking them in a safe test environment is a handy way of getting an understanding of their operations, especially if the documentation has gone missing (or was never written). SoapUI is a tool that can be used to test WCF Services, but did you know that Visual Studio also comes with its own set of tools? Let's start with SoapUI, which is available from  http://www.soapui.org/ . Its operations are quite straight-forward; however, you might run into issues when trying to access services that are protected by user credentials, or when accessing services with binary endpoints. I
Read more