Scribd Logo
Importer

Bienvenue sur Scribd !

  • CAS Presentation

    Transféré par

    Muhammad Indra
    74 vues31 pages
    CAS Presentation

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PPTX, PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    CAS Presentation

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PPTX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    74 vues31 pages

    CAS Presentation

    Transféré par

    Muhammad Indra
    CAS Presentation

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PPTX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 31

    Leveraging OWASP in Open Source

    Projects - CAS AppSec Working


    Group
    David Ohsie - Distinguished Engineer, EMC Corporation
    Bill Thompson CISSP, CSSLP - Director IAM Practice, Unicon
    Aaron Weaver
    Hosted by OWASP & the NYC Chapter
    Central Authentication Service (CAS)
    Simple, Flexible, Extensible Open Source
    Web Single Sign-On for the Enterprise

    ● Alfresco ● Moodle ● Spring Security


    ● Confluence ● OpenCMS ● Apache Shiro
    ● DokuWiki ● PeopleAdmin ● Java CAS Client
    ● Drupal ● Roller ● .Net CAS Client
    ● Google Apps ● Sakai ● php CAS Client
    ● JIRA ● Twiki ● mod_auth_cas
    ● Joomla! ● uPortal ● ASP to Zope
    ● Liferay ● Wordpress
    ● MediaWiki ● Zimbra

    Hosted by OWASP & the NYC Chapter


    Central Authentication Service (CAS)

    ● CAS initially create by Shawn Bayern in 2001 at


    Yale

    ● CAS3 jointly designed and developed by Rutgers


    and Yale in 2005 as Jasig project

    ● Simple protocol, flexible architecture, wide


    deployment

    Hosted by OWASP & the NYC Chapter


    Central Authentication Service (CAS)
    But...is it secure? How do we know?

    ● Based on Kerberos
    ● Wide deployment and many eye balls
    ● Reports of dynamic scans from time to time
    ● Maybe we should really check?

    Hosted by OWASP & the NYC Chapter


    Central Authentication Service (CAS)
    CAS AppSec Working Group - Jan 2013

    • Joachim Fritschi • David Ohsie

    • Jérôme Leleu • Andrew Petro

    • Misagh Moayyed • Bill Thompson

    • Parker Neff • Aaron Weaver

    https://wiki.jasig.org/display/CAS/CAS+AppSec+Working+Group

    Hosted by OWASP & the NYC Chapter


    CAS AppSec Working Group Goals
    ● Proactively work to improve the security posture

    ● Respond to potential vulnerabilities

    ● Produce artifacts that help potential CAS adopters


    evaluate the security of CAS

    ● Create and maintain recommendations on good security


    practices for deployments

    Hosted by OWASP & the NYC Chapter


    Hosted by OWASP & the NYC Chapter
    Google pays coders to improve
    open-source security

    Hosted by OWASP & the NYC Chapter


    Open Source software
    needs to be open on
    software security.

    Hosted by OWASP & the NYC Chapter


    As an adopter or potential adopter I
    want to know how the project deals with
    security

    Hosted by OWASP & the NYC Chapter


    Security can be a strong
    “selling” point!

    Hosted by OWASP & the NYC Chapter


    Or it can detract from your project
    How to avoid being one of
    the "73%" of WordPress
    sites vulnerable to attack

    Hosted by OWASP & the NYC Chapter


    Vulnerability Handling Practices

    Hosted by OWASP & the NYC Chapter


    Hosted by OWASP & the NYC Chapter
    OSS AppSec Program
    ● Form a working group
    ● OWASP Resources
    ● Meet regularly
    ● Make it easy to report vulnerabilities
    ● Threat Analysis with Developers
    ● Run security tools (ZAP, Static Code)

    Hosted by OWASP & the NYC Chapter


    Contributors

    ● Use OWASP
    Resources and
    Libraries
    ● Threat Model
    ● Work with security
    researchers

    Hosted by OWASP & the NYC Chapter


    Make it easy to report a vulnerability

    ● Security issue email


    address

    ● Provide a PGP Key

    Hosted by OWASP & the NYC Chapter


    Static Code Analysis
    Issues were found, prioritized and
    worked through false positives

    Hosted by OWASP & the NYC Chapter


    Threat analysis: Purpose
    ● What people think/say: “We probably don’t have any
    major security issues.”

    ● Threat analysis gives you a way to systematically


    analyze the possible threats against your system and
    rank them by potential impact.

    ● Threat analysis also gives adopters the information they


    need to analyze the deployment of your system in their
    environment.

    Hosted by OWASP & the NYC Chapter


    Threat analysis: Methodology
    ● Decompose the application: Draw a dataflow diagram in
    order to enumerate the attack surfaces.

    ● For each attack surface, enumerate the threats to the


    system and rank them.

    ● For each threat, create a list of possible mitigations.

    ● More details:
    https://www.owasp.org/index.php/Application_Threat_M
    odeling

    Hosted by OWASP & the NYC Chapter


    CAS Appsec Experience
    ● Started with whiteboarding session at Apereo
    conference to produce initial DFD and threats

    ● Biweekly follow-up meeting via Webex

    ● Used STRIDE to help identify threats

    ● Results maintained on wiki page

    ● https://wiki.jasig.org/display/CAS/CAS+Threat+Modelin
    g

    Hosted by OWASP & the NYC Chapter


    CAS Context DFD

    Hosted by OWASP & the NYC Chapter


    CAS Protocol DFD HTTPS
    Username/Password
    + Application Service URL CAS
    Server
    SSO Session Cookie (TGT)
    Application Service Ticket (ST)

    Browser
    HTTP(S) Request + ST
    Application
    CAS
    Client
    HTTP(S) + (Agent)
    Optional Session Cookie

    Hosted by OWASP & the NYC Chapter


    STRIDE

    Threat Security Control


    Spoofing Authentication
    Tampering Integrity
    Repudiation Non-Repudiation
    Information Disclosure Confidentiality
    Denial of Service Availability
    Elevation of Privelege Authorization
    Hosted by OWASP & the NYC Chapter
    CAS Appsec Sample Threat
    ● Identifier: PC_3
    ● Category: Information Disclosure
    ● Threat: The pgtIou and pgtId are send as GET
    parameters, which can be a problem as they might be
    stored in logs or indexed in internal search engines...
    ● Mitigation: Never log the GET parameters on the proxy
    callback url. Though, it might be not sufficient. Should
    we change the CAS protocol in the next revision (v4.0)
    to POST these parameters ?

    Hosted by OWASP & the NYC Chapter


    Classifying Remediation
    ● Easy: Security Guide Contents
    ○ Disable http
    ○ How to write a safe CAS client/plugin
    ○ Securing the ticket registry

    ● Harder: Change the code


    ○ Secure-by-default
    ○ Encrypted/signed ticket registry

    Hosted by OWASP & the NYC Chapter


    CAS Threat modeling results
    ● Classified 19 threat against the system
    ● Generated 10 proposals
    ● One proposal (secure-by-default) integrated into CAS
    4.0
    ● Paraphrase from a CAS committer:
    ○ “I thought when we started that we would not find
    any problems, but now I see that there are lots of
    improvements to be made”

    Hosted by OWASP & the NYC Chapter


    Challenges
    ● Even in a security project, features are favored over
    security!
    ● Difficult to get consistent participation (although a core
    of contributors have kept it up; thank you, Jérôme Leleu
    and co-presenters!)
    ● Difficult to get changes prioritized and into the project

    Hosted by OWASP & the NYC Chapter


    Application Security Professionals

    Find an open
    source project
    and volunteer!

    Hosted by OWASP & the NYC Chapter


    Thanks!
    David Ohsie

    Bill Thompson, CISSP, CSSLP


    IAM Practice Director, Unicon
    wgthom@unicon.net

    Aaron Weaver

    Hosted by OWASP & the NYC Chapter

    Vous aimerez peut-être aussi