Post on 08-Jan-2018
description
The OWASP Foundationhttp://www.owasp.org
OWASP EducationComputer based training
Security for Managers and Executives
Nishi KumarSystems Architect, FIS
OWASP CBT Project Lead
Nishi.Kumar@owasp.org
2
Objectives Bring application security awareness Things we can do that will help build secure applications Processes we can have for achieving this goal Answer some common questions
3
How would you feel if your confidential data is stolen?
Angry! Frustrated!
4
Identity Theft Phishing
5
Facebook Phishing Attack
Lures people to a fake Facebook page and prompts them to log in.
Unsuspecting Facebook users get a message from a friend urging them to "check this out" and including a link to a Web page that appears to be a Facebook log-in page.
6
Article from Wall Street & Technology
7
Why Should We Care?
Let’s just think this through…How likely is a successful web application attack?
Stunningly prevalent Easy to exploit without special tools or knowledge Little chance of being detected Hundreds of thousands of developers, tiny fraction with security
Consequences? Corruption or disclosure of database contents Root access to web and application servers Loss of authentication and access control for users Defacement Secondary attacks from your application
8
Cost of Non-Compliance
In the event of the a breach the acquirer CAN make the merchant responsible for:
Any fines from PCI-Co Up to $500,000 per incident Cost to notify victims Cost to replace cards (about $10/card) Cost for any fraudulent transactions Forensics from a QDSC Level 1 certification from a QDSC
The QDSC (Qualified Data Security Company certification) by Visa© authorizes a company to perform level-one onsite assessments for merchants and service providers requiring a "Report on Compliance" (ROC).
9
Cost of Non-Compliance (Cont)
Example: 50,000 credit cards stolen
PCI Penalty - $100,000 per incident $500,000 if you do not have a self-assessment Card Replacement - $500,000 (50,000 x $10 dollars per card) Fraudulent Transaction – $61,750,000 ($1,235 x 50,000) $1,235 - 2004 average fraudulent transaction Bad Publicity – Priceless!
10
Why Web Application Security important?
Attacks Shift Towards Application Layer
Network Server
WebApplications
% of Attacks % of Dollars
90%
Sources: Gartner, Watchfire
Security Spending
of All Web Applications Are Vulnerable2/32/3
75%
25%
10%
11
Problem IllustratedApplication Layer
Attacker sends attacks inside valid HTTP requests
Your custom code is tricked into doing something it should not
Security requires software development expertise, not signatures
Network LayerFirewall, hardening,
patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests.
Security relies on signature databasesFi
rew
all
Hardened OS
Web Server
App ServerFi
rew
all
Dat
abas
esLe
gacy
Sys
tem
sW
eb S
ervi
ces
Dire
ctor
ies
Hum
an R
esrc
sB
illin
g
Custom Code
APPLICATIONATTACK
Net
wor
k La
yer
App
licat
ion
Laye
r
Acc
ount
sFi
nanc
eA
dmin
istr
atio
nTr
ansa
ctio
nsC
omm
unic
atio
nK
now
ledg
e M
gmt
E-C
omm
erce
Bus
. Fun
ctio
ns
Insider
12
Demo Attack
Phases of hacker attacks
13
Phase 1
Information search Fingerprinting
1. Hacker searches information about victim’s target systemOperating SystemWeb ServerDatabase
2. Compares information with vulnerability database
14
Phase 1 - Information Search
SQL Injection
1. Hacker found vulnerabilitySearch for (specific) userFind additional information about user
2. Needs information for next phase of attack
15
Phase 2 - Infrastructure Cross Site Scripting (XSS)
1. Hacker found personal information about usere-mailPhone number …
2. Sends e-mail with unsuspicious topic3. Includes XSS in e-Mail that sends user session to the hackers server
16
Phase 2 - Infrastructure Cross Site Scripting (XSS)
1. User receives e-Mail2. e-mail is unsuspicious to user
TopicOriginator
3. Included XSS sends all cookies to hacker’s web site
17
Phase 3 - Exploit
Session hijacking
1. Hacker received all cookies from user2. Cookies are used to identify users3. Hacker uses cookie to resume user session4. Hacker is logged in as user “victim” with user’s access rights
18
That was just the beginning
19
Demo Cross-site scripting
Web Goat XSS
20
Leverage OWASP for Web Application
Security Training The Open Web Application Security Project (OWASP Foundation Inc.)
Participation in OWASP is free and open to all
The vision is a software market that produces code that’s secure. The mission is to make security visible so that software buyers and sellers are on equal footing and market forces can work.
International not-for-profit charitable organization funded primarily by volunteers time and OWASP Memberships
http://www.owasp.org
21
What are the Top 10 Vulnerabilities?
OWASP Top 10
22
Common Security Issues: The OWASP Top 10 2010
The Ten Most Critical
Aimed to educate developers, architects and security practitioners about the consequences of the most common web application security vulnerabilities
Living document: 2007 T10 different from 2004 T10
OWASP Top 10 2010 released
23
Users and Adopters Payment Card Industry (PCI)
PCI DSS - Requirements 6.5.1 - 6.5.10 is OWASP Top 10 PA-DSS - Requirements 5.2.1 – 5.2.10 is OWASP Top 10
Security code review for all the custom code.
OWASP Supporters
24
Common Security Issues: The OWASP Top 10 2007
25
Common Security Issues: The OWASP Top 10 2010
26
Security Threats and OWASP T10 Vulnerabilities
Phishing Exploit weak authentication, authorization, session management and
input validation (XSS, XFS) vulnerabilities Privacy violations
Exploit poor input validation, business rule and weak authorization, injection flaws, information leakage vulnerabilities
Identity theft Exploit poor or non-existent cryptographic controls, malicious file
execution, authentication, business rule and auth checks vulnerabilities
27
Security Threats and OWASP T10 Vulnerabilities
(cont) System compromise, data alteration or data destruction
Exploit injection flaws, remote file inclusion-upload vulnerabilities Financial loss
Exploit unauthorized transactions and CSRF attacks, broken authentication and session management, insecure object reference, weak authorization-forceful browsing vulnerabilities
Reputation loss Depend on any evidence (not necessarily exploitation) of a web application
vulnerability
28
OWASP Top Ten 2007 and ESAPI (Enterprise Security API)
29
OWASP Documentation on Web Application Security
Developer Guide Code Review Guide Testing Guide
Application Security Desk Reference (ASDR)
ASVS
Application Security Desk Reference (ASDR) Basic reference material on application security terminology
Developer Guide Comprehensive guide for Web applications and Web services
security Code Review Guide
Comprehensive secure code review guide on the web Testing Guide
Web Application penetration testing ASVS
Application Security Verification Standard
30
OWASP Tools and Technology
31
Live CD
Project that collects some of the best open source security projects in a single environment
Users can boot from Live CD and immediately start using all tools without any configuration
http://www.owasp.org/index.php/LiveCD
32
OWASP ToolsOWASP
WebScarab v20090122
OWASP WebGoat v5.2
OWASP CAL9000 v2.0
OWASP JBroFuzz v1.2
OWASP DirBuster
v0.12
OWASP SQLiX v1.0
OWASP WSFuzzer
v1.9.4OWASP Wapiti
v2.0.0-betaParos Proxy
v3.2.13nmap &
Zenmap v 4.76
Wireshark v1.0.5 tcpdump v4.0.0 Firefox 3.06 +
25 addons Burp Suite v1.2 Grendel Scan v1.0
Metasploit v3.2 (svn)
w3af + GUI svn r2161
Netcats – original + GNU Nikto v2.03 Firece Domain
Scanner v1.0.3
Maltego CE v2-210 Httprint v301 SQLBrute v1.0 Spike Proxy
v1.4.8-4Rat Proxy v1.53-beta
33
Web Goat A classic vulnerable application to teach developers security code flaws
34
WebScarab – A Proxy Engine
A Proxy tool to intercept Http Request and Http Response
35
Software Assurance Maturity Model (SAMM)
Alignment & Governance
Requirements & Design
Verification & Assessment
Deployment & Operations
The four Disciplines are high-level categories for activitiesThree security Functions under each Discipline are the specific silos for improvement within an organization
Disciplines
Functions
36
Software Assurance Maturity Model (SAMM)
Check out this one...
37
SAMM Conducting assessments
SAMM includes assessment worksheets for each Security Practice
38
SAMM Creating Scorecards
Gap analysisCapturing scores from detailed assessments versus expected performance levels
Demonstrating improvementCapturing scores from before and after an iteration of assurance program build-out
Ongoing measurementCapturing scores over consistent time frames for an assurance program that is already in place
39
Process perspective: Build Security in the SDLC
40
Threat Modeling-An approach for analyzing the security
41
Threat Categorization - Stride
42
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
Threats can be systematically identified in the application in a structured and repeatable manner
Threat Categorization (cont)
43
Types Examples Security Control
Spoofing Illegally access and use another user's credentials
Authentication
Tampering Maliciously change/modify persistent data, such as data in a database
Integrity
Repudiation Perform illegal operations that lacks the ability to trace
Non-Repudiation
Information disclosure
Read a file that one was not granted access to, or read data in transit
Confidentiality
Denial of service
Deny access to valid users, such as making a web server temporarily unavailable or unusable
Availability
Elevation of privilege
Gain unauthorized access or compromise a system
Authorization
44
Training topics
Security Scanning of Web Applications OWASP Top 10 Threat Modeling Source code Review for Security Code Scanning for Security PCI DSS and PA-DSS certification Security issues in various UI frameworks Web Server and Application server hardening Click Jacking Phishing Attack OWASP Live CD Tools project Identify and test security issues for QA Web Services Security Security for Internationalized software
45
Since no customer is complaining, why an organization needs to fix security vulnerabilities in their applications?
Compliance In case of security breech
• Fines• Reputation Loss - Priceless
??????
What do we do if application is already in production and it has missed that phase of security?
??????
It's never too late and never too early. It is a continuous process...
Penetration testing and security code review is the key.
We must fix security leaks and vulnerabilities.
What will help?
??????
Leverage OWASP Security Code Review Value of mentoring is enormous Application scanning and code scanning
using static analysis tools Web application security part of the SDLC process Secure code development training Train QA to find security issues in the application
Make Security part of the SDLC process