The OWASP Foundation
AppSec DC
http://www.owasp.org
DISA's Application Security and
Development STIG:
How OWASP Can Help You
Jason Li
Senior Application Security Engineer
November 12, 2009
OWASP
About Me
Senior Application
Security Engineer
Five different
organizations
12 applications
validated against ASD
STIG this year
CAT I’s in almost all of
them!
OWASP Global Projects
Committee member
Star Trek Fan
Ballroom Dancer
2
OWASP
About DISA
Defense Information
Systems Agency
Part of the Department of
Defense
Administers and protects
DoD command and
control systems and
enterprise infrastructure
3
OWASP
About DISA STIGs
Offers configuration
guides and checklists for:
Databases
Operating Systems
Web Servers
Etc...
Provides standard
“findings” and impact
ratings
CAT I, CAT II, CAT III
4
OWASP
Application Security and Development STIG
5
First draft November
2006; first release July
2008
129 requirements
covering:
Program Management
Design & Development
Software Configuration
Management
Testing
Deployment
OWASP
Application Security and Development STIG
6
ASD STIG applies to
“
all DoD developed,
architected, and
administered
applications and
systems connected to
DoD networks
”
Essentially anything
plugged into DoD
OWASP
Application Security and Development STIG
Requirements can be
extremely broad:
e.g. APP3510: The
Designer will ensure
the application
validates all user input
e.g. APP3540: The
Designer will ensure
the application is not
vulnerable to SQL
Injection
7
OWASP
Application Security and Development STIG
Requirements can be
extremely specific:
e.g. APP3390: The
Designer will ensure
users accounts are
locked after three
consecutive
unsuccessful logon
attempts within one
hour
8
OWASP
Application Security and Development STIG
Requirements can be
esoteric:
e.g. APP3150: The
Designer will ensure
the application uses
FIPS 140-2 validated
cryptographic modules
to implement
encryption, key
exchange, digital
signature, and hash
functionality
9
OWASP
Application Security and Development STIG
Requirements can be
expensive:
e.g. APP2120: The
Program Manager will
ensure developers are
provided with training
on secure design and
coding practices on at
least an annual basis
10
OWASP
Lost in the Weeds
11
OWASP
Roadmap to Success
12
OWASP
Start Right
Allocate Time
Proper allowances in
scheduling are key!
Improve Acquisitions
See
OWASP Secure Software
Development Contract
Annex
Become Aware
See
OWASP Application
Security Verification
Standard
13
OWASP
Improving Developer Awareness
OWASP Top Ten provides
a high level overview
OWASP Development
Guide provides more
specific development
guidance
OWASP ESAPI Project
provides standard
controls
14
OWASP
Improving Developer Awareness
OWASP Top Ten 2007 ASD STIG
A1 – Cross Site Scripting APP3580
A2 – Injection Flaws APP3540, APP3570
A3 – Malicious File Execution APP3740
A4 – Insecure Direct Object Reference APP3450, APP3480, APP3620
A5 – Cross Site Request Forgery N/A
A6 – Information Leakage and
Improper Error Handling
APP3120, APP3620
A7 – Broken Authentication and
Session Management
APP3460, APP3415, APP3420,
APP3430
A8 – Insecure Cryptographic Storage APP3210, APP3340
A9 – Insecure Communications APP3250, APP3330
A10 – Failure to Restrict URL Access APP3620
15
OWASP
Improving Developer Awareness
OWASP Top Ten 2004 ASD STIG
A1 2004 – Unvalidated Input APP3510
A2 2004 – Broken Access Control APP3470, APP3480
A3 2004 = A7 2007
A4 2004 = A1 2007
A5 2004 – Buffer Overflow APP3590
A6 2004 = A2 2007
A7 2004 = A6 2007
A8 2004 = A8 2007
A9 2004 – Application Denial of Service APP6080
A10 2004 – Insecure Configuration
Management
APP3110, APP3290, APP3450,
APP3470, APP3480, AP3500, APP6030,
APP6040, APP6050, APP6210,
APP6240, APP6250, APP6260, APP6260
16
OWASP
Improving Developer Awareness
Use the OWASP
Development Guide
Provides background
about key appsec
areas
17
http://www.owasp.org/index.php/Category:OWASP_Guide_Project
OWASP
OWASP ESAPI Project
Use standardized security controls
Standardized library means faster development!
18
Custom Enterprise Web Application
Enterprise Security API
Access
Controller
Access
Reference Map
Authenticator
Encoder
Encrypted
Properties
Encryptor
Executor
HTTP Utilities
Intrusion
Detector
Log Factory
Logger
Randomizer
Security
configuration
User
Validator
http://www.owasp.org/index.php/ESAPI
OWASP
ASD Gotchas
APP3010: Label all
external links
APP3270: Identify
classification of pages
APP3440: Include the
DoD Logon banner
APP3530: Set charset
in the Content-Header
APP3320: Enforce
DoD password policy
19
OWASP
ASD Gotchas (cont.)
APP3390: Lock users
after 3 attempts w/in 1 hr
APP3400: Do not allow
automatic timed unlock
APP3660: Show last and
failed login details,
including date, time and
IP address
APP3415: Enforce session
idle timeout
APP3420: Include a
logout link
20
OWASP
Do Self Validation
ASD Checklist provides a
starting point for tests
Testers are often left
unable to thoroughly test
OWASP Testing Guide
provides guidance for
testers of web
applications:
http://www.owasp.org/index.php/
Testing_Guide
21
OWASP
Level
Program Management
Design &
Development
Testing
3
◌ Provide Security
Awareness Training
◌ Standardize dev, build,
and test platforms
◌ Create Application
Threat Model
◌ Develop Security
Logging Policy
◌ Perform Third Party
Code Reviews
◌ Maintain Code
Coverage Statistics
2
◌ Add ASD STIG to
Contract Language
◌ Use Common Criteria
Validated Products
◌ Enforce All Data Input
Specifications
◌ Use Standardized
Security Controls and
Libraries
◌ Perform Fuzz Testing
◌ Use Automated
Security Tools
1
◌ Allocate Time in
Program Schedule
◌ Distribute Secure
Coding Guidelines
◌ Use SSL with DoD
Issued PKI Certificates
◌ Fix Easy ASD Gotchas
◌ Track Security Flaws
◌ Create and Perform
Security Tests
Boldy Go…
22
OWASP
Summary
Know the variety of ASD
STIG requirements
Leverage OWASP
Projects:
Secure Software
Development Contract
Annex
Application Security
Verification Standards
Top Ten
Development Guide
ESAPI
Testing Guide
23
OWASP
Questions?
Contact:
Jason Li
24
Foundation
Implementation
Verification
Management
