Post on 16-Jul-2015
Securing your web applications: a pragmatic approach
Antonio Parata - an.parata@reply.it
Roma 12/12/2014
Who am I?
- Head of Reply Communication Valley R&D group
- Passionate about functional programming (F#) and occasional tools developer(http://nebula.tools)
- Passionate about software security
- Board member of OWASP Italy (Co-Author of OWASP Testing Guide v2 e v3)
Introduction
What does legacy application mean?- An application difficult to modify/maintain
- An application lacking documentation
- An application writtent “a long time ago” (… in cobol)
“…to me, legacy code is simply code without tests.”Michael C. Feathers author of Working Effectively With Legacy Code
Introduction
Why talk about legacy application?
A pragmatic approach
– The goal is securing an application and not learninghow to compromise its security
– You have to know the most common vulnerabilitiesanyway
Approach
1. Perform a security assessment activity in order to evaluate the current state of security
2. Start to focus your activities in order to improve the application security.
- Don’t limit yourself to fixing of the vulnerabilitiesreported in the security assessment report
3. Verify your progress
ApproachWhich activity is advisable to be first executed?
- Code Inspection
- Security Testing
- Penetration Test
Ref.Capers Jones - Software Engineering Best Practices. Lessons from Successful Projects in the Top Companies (McGraw-Hill, 2010)
OWASP Top Ten
Useful to have an idea of the most common threats
Streamlined enough to be easly read even from security inexperts.
OWASP - Proactive Controls for Developers
Provides a Top Ten of the most importantsecurity controls that must be considered for the security of the application
OWASP - Proactive Controls for Developers - Parameterize Queries
$stmt = $dbh->prepare("update users set
email=:new_email where id=:user_id");
$stmt->bindParam(':new_email', $email);
$stmt->bindParam(':user_id', $id);
OWASP - Proactive Controls for Developers – Encode DataThe majority of modern Web Development Frameworks includes presetencoding capability.
If your are in doubt:Ruby on Rails– http://api.rubyonrails.org/classes/ERB/Util.html
Reform Project – Java, .NET v1/v2, PHP, Python, Perl, JavaScript, Classic ASP– https://www.owasp.org/index.php/Category:OWASP_Encoding_Project
ESAPI– PHP.NET, Python, Classic ASP, Cold Fusion– https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
.NET AntiXSS Library (v4.3 NuGet released June 2, 2014)– http://www.nuget.org/packages/AntiXss/
OWASP - Proactive Controls for Developers – Validate All Inputs
In most cases the expected input has a welldefined format…
…ensure that the format is correclty applied!
Approachs:
Whitelist what is not allowed is refused
Blacklistwhat is malicious is blocked
OWASP - Proactive Controls for Developers –Implement Appropriate Access Controls
Various consolidated models exist: RBAC, ACL
Access Control code can be very complex to implement. Some suggestions:
All the requests must pass through the accesscontrol code:
- Deny by default
- Don't reinvent the wheel
OWASP - Proactive Controls for Developers –Establish Identity and Authentication Controls
Authentication is the process that verifies that an entity is really what it says it is.
Once authenticated, a session is usually created
Make sure that- All the passwords are salted and stored in a safe way (eg.
By using the BCrypt alghorithm)
- The session token is appropriately protected and notpredictable (tipically it is enough to use the features of the following framework)
OWASP - Proactive Controls for Developers –Protect Data and Privacy
All sensitive data have to be sent through a secure channel
- Using HTTPS for sensitive data transmission
- Using antitampering mechanism to make surethat data can’t be modified arbitrarily by the user.
OWASP - Proactive Controls for Developers –Implementing Loggin and Intrusion Detection
Logging is not performed only during debugging phaseMake sure that:- Log every single sensitive action (login, password change,…)- Store log in a secure place- Don’t include sensitive information inside log content
(password, session token, …)
Ensure that logs are analyzed by a security analyst or by a security system and that appropriate actions are taken ifsomething happens.
OWASP - Proactive Controls for Developers – LeverageSecurity Features of Frameworks and Security Libraries
According to the programming language used, there could be different frameworks that providea baseline for implementing security features.
Those frameworks are tipically well writtent and with a stable code base.
But make sure that you are always updated with new unknown vulnerabilities
OWASP - Proactive Controls for Developers – Include Security - Specific Requirements
It is never too late to consider new security requirements
Consider:
1. Security Features and Functions
2. Business Logic Abuse Cases
3. Data Classification and Privacy Requirements
OWASP - Proactive Controls for Developers – Design and Architect Security In
In Legacy application it is difficult to change the architecture, consider however the followingpoints:
- Attack surface
- Used frameworks
- Specific vulneabilities that are more common in the language used and/or in the tools used
Trust but verify
OWASP - Proactive Controls for Developers is a guide that helps developers to secure theirapplications code
But you have to be sure that the written code isreally secure
OWASP Application Security VerificationStandard (ASVS)
OWASP - ASVS
“The first aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and the level of rigor available in the market when itcomes to performing Web application security verification using a commercially-workable open standard.”https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
OWASP – ASVS Requirements
V2: Authentication Verification RequirementsV3: Session Management Verification RequirementsV4: Access Control Verification RequirementsV5: Malicious Input Handling Verification RequirementsV7: Cryptography at Rest Verification RequirementsV8: Error Handling and Logging Verification RequirementsV9: Data Protection Verification RequirementsV10: Communications Security Verification RequirementsV11: HTTP Security Verification RequirementsV13: Malicious Controls Verification RequirementsV15: Business Logic Verification RequirementsV16: Files and Resources Verification RequirementsV17: Mobile Verification Requirements
Conclusions
1. Verify the current state of yourapplication security, performing:
- Security Testing- Code Inspection
2. Apply effective security controlsin your code (Proactive Controls)
3. Verify that the written code isreally secure (ASVS)
4. Repeat the process from step 1 on a regular basis.