00. introduction to app sec v3
-
Upload
eoin-keary -
Category
Internet
-
view
38 -
download
0
Transcript of 00. introduction to app sec v3
![Page 1: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/1.jpg)
Introduction to Application Security
Eoin Keary
CTO BCC Risk Advisory / edgescan
www.edgescan.com
![Page 2: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/2.jpg)
Where are we going?
Web Security and HTTP Basics
What is Web Application Security?
HTTP GET/POST
HTTP Security Response Headers
Sensitive data in transit
stuff
More stuff
![Page 3: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/3.jpg)
We Use Network Vulnerability Scanners
Neglect the security of the software on the network/web server
Today’s State: "Our Website Is Safe"We Have Firewalls and
IPS in PlacePort 80 & 443 are open for the right reasons
We Audit It Once a Quarter with Pen TestersApplications are constantly
changing
We Use SSL EncryptionOnly protects data between site and user not the web application itself
We Outsource
![Page 4: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/4.jpg)
• Asymmetric Arms Race
![Page 5: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/5.jpg)
• A traditional end of cycle / Annual pentest only gives minimal security…..
• There are too many variables and too little time to ensure “real security”.
![Page 6: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/6.jpg)
Two weeks of ethical hacking
Ten man-years of development
Business Logic Flaws
Code FlawsSecurity Errors
An inconvenient truth
![Page 7: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/7.jpg)
Make this more difficult: Lets change the application code once a month.
![Page 8: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/8.jpg)
“We need an Onion”
SDL Design reviewThreat ModelingCode review/SAST
Pentesting/DAST
Live/Ongoing Continuous/Frequent monitoring/Testing Manual ValidationVulnerability management & PriorityDependency Management ….
We need more than a Penetration test.
Hungry?
![Page 9: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/9.jpg)
You are what you eat
![Page 10: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/10.jpg)
Application Code
COTS (Commercial off the shelf
Outsourced development Sub-
Contractors
Bespoke outsourced
development
Bespoke Internal development
Third Party API’s
Third Party Components &
Systems
Degrees of trustYou may not let some of the people who have developed your code into your offices!!
More LESS
![Page 11: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/11.jpg)
“We can’t improve what we can’t measure”
![Page 12: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/12.jpg)
Information flooding(Melting a developers brain, White noise and
“compliance”)
![Page 13: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/13.jpg)
Doing things right != Doing the right things
“Not all bugs/vulnerabilities are equal”
Contextualize Risk(is XSS /SQLi always High Risk?)
Do developers need to fix everything?
• Limited time• Finite Resources• Task Priority• Pass internal audit?
White Noise
Where do we go now?
![Page 14: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/14.jpg)
Ideal worldInformation
security spend
Security incidents (business impact)
![Page 15: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/15.jpg)
Real worldInformation
security spend
Security incidents (business impact)
![Page 16: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/16.jpg)
Application Vulnerabilities Overview• Application security vulnerabilities can be roughly broken down into 4 categories.
• Application Infrastructure• Application infrastructure misconfigured• Data passed between browser and server not secured
• Application Controller/Server Tier not coded Securely• Broken Authentication and Session Management• Business object references (identifiers) not properly secured• Failure to Restrict URLs Properly• Unvalidated Redirects and Forwards
• Vulnerabilities at the Browser Level• Unvalidated data becomes a script executed on the browser• Logged in user's session is able to be forged
• Vulnerabilities at the Persistence Tier• Database access not properly written to use SQL securely • Data not stored in a cryptographically secure way
![Page 17: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/17.jpg)
Developer Security? Developers rarely get application security training in school
The protocols we use for web development are insecure
The languages we use for web development are insecure
The frameworks we use for web development are insecure
Developers rarely get prescriptive security requirements at work
Developers rarely get good assessment technology to verify if they are writing secure code and applications
Recipe for Disaster!
![Page 18: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/18.jpg)
Secure Application Design Principles
Practice least privilege Employ secure defaults Validate data from all sources Fail to a secure mode
Prevent information leakage
Practice defense in depth
Secure theweakest link
Escape/Encode
Applications should execute with the Least Privilege required to perform a job
Choose appropriate features for users and ensure that these features are secureAlways assume that data from any source is malicious and validate it before useDesign applications to fail to a secure state and never disclose confidential data or provide elevated privledges
An unintentional revelation of information about the way an application works
Use multiple layers of security instead of a single mechanism
Secure your application to prevent it from being the "weakest" link
Convert data that is used by parsers into non-executing context
![Page 19: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/19.jpg)
Web application security risksBlurring traditional boundaries
Organizations are exposing internal data and critical functionality to the public Internet through web application deployments
Dataprivacy
Weak security controls may be exploited by skilled attackers to access sensitive information or perform unauthorized activities on your organizations' systems
Impact of a security breach
Loss of customer confidence and reputational damage via the negative publicity associated with a security breach
![Page 20: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/20.jpg)
Web Application Security
Host
Apps
Fire
wal
l
Host
Apps Database
Host
Web server App server DB server
Securing the applicationInput validation Session mgmt Authentication
Authorization Config mgmt Error handling
Secure storage Auditing/logging XSS Defense
Securing the networkRouter
FirewallSwitch
Securing the hostPatches/updates Accounts Ports
Services Files/directories RegistryProtocols Shares Auditing/logging
Fire
wal
l
![Page 21: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/21.jpg)
COMMON VULNERABILITIES HACKERS EXPLOIT
ocedure sendBit2(dim b as boolean) if (b) then gpio.2 = 1 delay_us(1125) gpio.2 = 0 delay_us(375) else = 1 delay_us(375) gpio.2 = 0 delay_us(1125) end if end sub sub procedure sendPair(dim b as boolean) t(false) sendBit(b) end sub sub procedure sendPair2(dim b as boolean) sendBit2(false) sendBit2(b) end sub sub procedure switchcode2(dim b as boolean) '// house code 1 = B sendPair2(true) sendPair2(false) sendPair2(false) sendPair2(false) '// unit code 2 sendPair2(true) sendPair2(false) sendPair2(false) sendPair2(false) '// on = 14 sendPair2(false) sendPair2(true) sendPair2(true) sendPair2(b) sendBit2(false) end sub sub procedure switchcode(dim b as boolean) '// house code 1 = B sendPair(true) sendPair(false) sendPair(false) sendPair(false) '// unit code 2
HACKINGHACKING
HACKINGHACKING
HACKING
HACKING
1. Injection2. Cross-site scripting3. Broken authentication/session management4. Insecure direct object references5. Cross site request forgery6. Security misconfiguration7. Insecure cryptographic storage8. Failure to restrict URL access9. Insufficient transport layer security10. Un-validated redirects and forwards
![Page 22: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/22.jpg)
DYNAMIC LandscapeNEW Challenges
SOFTWARE
ASSURANCEMOBILE
SECURITYCLOUD
SECURITYDATAPRIVACY
SOCIALAPPS
![Page 23: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/23.jpg)
2010 2015 2020
PEOPLEMore DEVICES Than 50 Billion
25 Billion
12.5 Billion
CONNECTED DEVICES
![Page 24: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/24.jpg)
PEOPLEEmployees, ContractorsCostumers & Partners
THE NETWORK IS NO LONGER THE POINT OF CONTROL
DEVICESPhones, Servers, Laptops, Tablets
DATAUnstructured & Structured
THE NEW PERIMETER
![Page 25: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/25.jpg)
• The network has become the battlefield
• Forcing defense of the entire network
• Low situational awareness on the network
• Who, What, When, Why ?
• Low awareness increases vulnerability
HE WHO DEFENDS EVERYTHING DEFENDS NOTHING
DEFENDTHE CORE
![Page 26: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/26.jpg)
Secure by Default
DesignedSecurely
Developed Securely
SECURITYSOFTWARE
ASSURANCE
ASSURANCE ISPART OF THE SOLUTION
![Page 27: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/27.jpg)
CRITICAL PATCH UPDATES
Security focused priorityMost critical patches firstDynamic schedule
PredictableScheduled a year ahead
Quarterly patches
Cumulative Incremental Patches
![Page 28: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/28.jpg)
API Security?
![Page 29: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/29.jpg)
Identity and Access Management
Device User Service App MW Database OS Virtual Machine Servers Storage
End User Level
Operator Level
Secure data across all tiers of storage
Monitor and configure securely
Complete Database protection
Secure user access to data and transactions
Security without a performance penalty.
Secure container for applications
Security built into the infrastructure
Service Level
Identity propagation & consistent access policies
![Page 30: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/30.jpg)
RECOMMENDATIONS DON’T SECURE YOURSELF OUT OF BUSINESS
• You can’t defend everything• Assume you are already breached• Protect your most valuable assets• Have a plan and execute the plan
![Page 31: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/31.jpg)
US Interstate Highway SystemInitial cost vs. maintenance cost
http://cdmsmith.com/en-US/Insights/Funding-Future-Mobility/Exit-6-Aging-Interstates.aspx
Interstate-related expenditures during the next 50 years will likely reach $2.5 trillion. The interstate system is anything but “paid for"
- http:/cdmsmith.com
![Page 32: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/32.jpg)
Gratuitous slide to distract you so you can blame your insecure code on me
Baseball + Bat = $1.10How much is the Bat if it costs $1.00 more than the ball?
![Page 33: 00. introduction to app sec v3](https://reader035.fdocuments.in/reader035/viewer/2022062412/58e4e3e61a28ab87378b49f3/html5/thumbnails/33.jpg)
Answer:• Although $1.00 + $0.10 does equal $1.10• $1.00 – $0.10 you get $0.90,• The problem requires that the bat costs $1 more than the ball.1• The ball must cost $0.05, and the bat must cost $1.05 since
$1.105 + $0.05 = $1.10
33