U hebt geen rechten om deze pagina te bewerken, want:
De gevraagde handeling is voorbehouden aan gepriviligeerde gebruikers. (groep gebruikers)
Vrije tekst:
[[categorie:work spaces]] [[Image:kerckhoffs.jpg|right]] Here we collect information and results for the [http://www.cs.ru.nl/~erikpoll/ss/project2 OWASP group project] in the [http://www.cs.ru.nl/~erikpoll/ss/ Software Security] course, in which we do a collaborative security analysis of a web-application, namely an older version of [[http://www.cs.ru.nl/~erikpoll/ss/project2/phpBB2.zip phpbb]]. To get a logon to this wiki, send an email with your full name and your "official" email-address (i.e. a student.ru.nl, student.utwente.nl, or student.tue.nl email adress) to Fabian <f.vandenbroek@cs.ru.nl>. For non-Dutch speakers: Select "Mijn voorkeuren" above and choose another language. Only the help pages for this wiki will then still be in Dutch, but you can easily find English ones, for instance [http://lab.cs.ru.nl/laquso/Help:Contents here]. First step: [[Software Security/CodeScanners|trying out source code analysis tools]] - Deadline April 22. <p> ==Groups and the Verification Requirements they look at== Groups: *[[Software Security/Group 1|Group 1 (RU) looking at V6/HTML ]] *[[Software Security/Group 2|Group 2 (RU) looking at V6/SQL]] *[[Software Security/Group 3|Group 3 (TUE) looking at V8]] *[[Software Security/Group 4|Group 4 (RU) looking at V7, V9, V11, and V10]] *[[Software Security/Group 5|Group 5 (TUE) looking at V5 ]] *[[Software Security/Group 6|Group 6 (UT) looking at V3]] *[[Software Security/Group 7|Group 7 (Erasmus) looking at V4]] *[[Software Security/Group 8|Group 8]] does not exist *[[Software Security/Group 9|Group 9 (TUE) looking at V2 ]] Verification requirements: * V1: Security Architecture Documentation - we can try jointly try to collect some information about the architecture and organisation of the code * '''V2: Authentication''' - looked at by group 9 * '''V3: Session Management''' - looked at by group 6 * '''V4: Access Control''' - looked at by group 7 * '''V5: Input Validation''' - looked at by group 5 * '''V6: Output Encoding/Escaping (HTML)''' - looked at by group 1 * '''V6: Output Encoding/Escaping (SQL)''' - looked at by group 2 * V6: any other interesting output ? (email addresses, path names, ...) * '''''V7: Cryptography''''' - smaller task * '''V8: Error Handling and Logging''' - looked at by group 3 * '''''V9: Data Protection''''' - smaller task - only sensitive data might be the email addresses & passwords - looked at by group 4 * '''''V10: Communication Security''''' - less interesting/small task (mainly TLS issues) looked at by group 4 * '''''V11: HTTP Security''''' - looked at by (small) group 4 * ''V12: Security Configuration '' - out of scope since this it is specific to a particular install * V13: Malicious Code Search - out of scope for a Level 2 evaluation * V14: Internal Security - out of scope for a Level 2 evaluation [[ Software_Security/Students|List of all students]] in case you're still looking to form a group ==Code analysis tools== * <b>Source code analysis tools </b>. <br>There are several source code analysis tools we can experiment with. Below record which tools your group looks at. Also, create/update the wiki-page for that tool to record any problems/successes running them, your impressions about what it can/cannot do etc. The status of some tools is not so clear, so please record it if a tool is effectively dead, to save other the effort to try installing it. **[[ Software_Security/Pixy|Pixy]] tried out by group ?,3,(7 partial) <br>Tool available at [http://pixybox.seclab.tuwien.ac.at/pixy/index.php here] - it works for XSS and SQL injection only, I believe. Tool website is now up! **[[ Software_Security/PHPSAT|PHP-SAT]] tried out by group 3,7 <br> Tool available [http://www.program-transformation.org/PHP/PhpSat here.] (doesn't have a stable release yet) **[[ Software_Security/SWAAT|SWAAT]] tried out by group 2,3,7,9 (failed) <br> Tool available [http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project here] **[[ Software_Security/Yasca|Yasca]] tried out by groups 3,5,6,4,9 <br> Tool available [http://en.wikipedia.org/wiki/YASCA here] (also supports use of RATS, Pixy and many other tools though plugins) **[[ Software_Security/RATS|RATS]] tried out by groups 3,5,9 <br> Tool available [https://www.fortify.com/ssa-elements/threat-intelligence/rats.html] **[[ Software_Security/CodeScan|CodeScan]] tried out by group 1,5 <br> Tool available [http://www.codescan.com/sql_injection.wp.asp here]. CodeScan is commercial, but they offer a free trial download for detecting SQL injection. **[[ Software_Security/ CodeSecure| CodeSecure]] tried out by group 2,(7 fail) <br> Another commercial tool, but they offer free trials [http://www.armorize.com/?link_id=codesecure here]. They are planning to release a new version on May 3rd, so it is currently difficult to obtain free trials. **[[ Software_Security/Fortify|Fortify]] - we got our license renewed! (5,7) *[[ Software_Security/OWASP_Top_Ten|OWASP Top 10: which group looks at which top 10 entries?]] If you can think of other ways to measure our coverage of possible problems, share info, avoid double work, etc , please add them here. ==Info to record/produce== Use your wiki group page to document the '''process''' of what you have been doing, and, by the end, to present '''the results'''. To record the '''process''', keep track of * '''a log''': Keep a chronological log of your planning and of what you have done. (Eg. "March 22: we met and decided that X would do A and Y would do C. March 22: X actually did A. ..." ) * '''a TO DO list''' * '''Documentation''': any info about the architecture of the application (eg. "Authentication is done in packages/files XYZ") or any design decisions (eg. "Apparently, all access control checks are done by calling function f") as you observe them from the code * '''the outcome of your work as it progresses''' on your group wiki page Also, record which - if any - warnings from a source code analysis tool you cover and which OWASP Top 10 entries you cover on [[ Software_Security#Code_analysis_tools|the communal wiki pages for this]]. In the end, the '''results''' should be presented via one wiki page (Deadline June 24, prior to the lecture): * Organise the results per verification requirement, as they are listed [http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf OWASP ASVS]. :For each verification requirement, briefly report your findings. Essentially, this should be done as described in section ''R4 - Verification Results'' of the [http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf OWASP ASVS]. For the Risk Rating, don't bother with the OWASP Risk Rating Methodology or Testing Guide, but simply say if you think the risks of any failures are serious or not, with some motivation. Do mention any remedies/improvements that you can think of, which is not mentioned in section ''R4 - Verification Results''. :Be frank in mentioning any limitations of your efforts: things you're not sure of, or things you didn't have time for. If it is useful, you can give a further breakdown, eg of the different types of inputs that are validated, or per directory/file/function (eg, 'all code in XYZ checked for SQL injection problems' - or - 'we didn't have time to investigate Fortify warnings about files XYZ'). ==Information== * The Open Web Application Security Project (OWASP) is a community effort to improve the security of web application. The [http://owasp.org OWASP website] provides a lot of information, though, as in most wikis, the relevant information can be a bit hard to find in the maze of wiki pages. Useful pages at the OWASP site include: ** The [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project (ASVS)] has produced the '''ASVS 2009'';which describes standard procedures to assess the security of a web application. For this project, the detailed verification requirements (V1, V2, etc) are interested as lists of specific issues to look at. ** The [http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project OWASP Code Review Project] has produced more detailed info about doing a code review (as part of a security verification). This is resulted in the has produced the ''Code Review Guide'', which is available as [http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents HTML ]. [https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf PDF ], [http://www.owasp.org/images/8/8e/OWASP_Code_Review_Guide-V1_1.doc DOC], and [http://www.lulu.com/content/5678680 paperback] ** The [http://www.owasp.org/index.php/Category:OWASP_Open_Review_Project#Open_review_process OWASP Open Review Project] sketches a high level process for performing a code review. *[http://cwe.mitre.org/data/lists/661.html (CWE 661) Weaknesses in Software Written in PHP] *[http://cwe.mitre.org/data/lists/701.html (CWE 701) Weaknesses Introduced During Design] *[[Software Security/php| Useful PHP info]] *Anything else?
Samenvatting:
Dit is een kleine bewerking Deze pagina volgen
Annuleren
