Application Security-IUnderstanding The Horizon

Lalit Kale

lalitkale@gmail.com

http://lalitkale.wordpress.com

Overview• Introduction

• Foundations of Security

• Layered Security Approach

• Importance of Application Security

• OWASP Top 10 Threats

• Industry Gap

• Bridging The Gap-Step by Step

• Microsoft Security Lifecycle Development (MS-SDL)

• Measurable results of applying MS-SDL

• Resources

Movie- Ocean Eleven

DEMOSimple website hacking

Why you should know hacking?

• Developers need to hone their cyber-offence skills

• If you can’t think like hacker, it's difficult to defend against

them

• Hack your own website

• First website security assessment

• Defense in depth • Fix multiple security flaws that would otherwise have been

single point of failure

Who are hackers?

• Ethical Hackers/Hactivists

• Motivated for higher cause

• Cyber Criminals

• Motivated for financial gain, identity theft, malicious intentions

• Nation States

• Cyber warfare for national security and political interest

Hacker Targets

• Enterprise Websites/Portals

• Financial Websites/Portals

• Government Websites/Portals

• Social Media Websites/Portals

Common Myth• We are secure since we have a firewall !

Fire

wall

Hardened OS

Web Server

App Server

Fire

wall

Data

bases

Leg

acy

Syste

ms

Web

Serv

ices

Dir

ecto

ries

Hu

man

Resrc

s

Billin

g

Custom Developed Application Code

APPLICATION

ATTACK

You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks

Netw

ork

Layer

Ap

plicati

on

Layer

Your security “perimeter” has huge holes at the

application layer

Man in Middle Attack

Common Sources of Untrusted Data

• User

• In URL via a query string or route

• Posted via a form

• Browser

• Cookies

• Request Headers

• Other

• External Services

• Your own database!

Building A Risk Profile• Attackers wants to understand as much as possible

about the website in order to find out vulnerabilities in website. So analyzes

• What are points of untrusted data entry?• What sanitation practices have been employed?• What framework and libraries the website is running on?• What can be discovered about site structure?• What can be used from “view source” option of browsers?• Are there any useful internal error messages up to the

browser?• Are there sufficient access controls on diagnostic data?

Data Breaches of 2012

• LANs • First PC virus• Motivation:

damage

1986–1995

• Internet Era • “Big Worms”• Motivation:

damage

1995–2003

• OS, DB attacks• Spyware, Spam• Motivation:

Financial

2004+

• Targeted attacks• Social

engineering• Financial +

Political

2006+

2007 Market PricesCredit Card Number $0.50 - $20

Full Identity $1 - $15

Bank Account $10 - $1000

Cost of U.S. cybercrime:About $70B

Source: U.S. Government Accountability Office (GAO), FBI

Cybercrime Evolution

Evolving Threats

Information security, is the practice of defending information from unauthorized

access, use, disclosure, disruption, modification, perusal, inspection,

recording or destruction.”

Foundations of Application Security

• Authentication= (Who are you?)

• Authorization=(What can you do?)

• Auditing(Non-repudiation) =Can not deny your action

• Confidentiality(Privacy)=Data remains private and confidential

• Integrity=Data is protected

• Availability=System remains available

Layered Security Approach

Physical Security

Controlled Access, electronic surveillance ,video surveillance, security personnel

Perimeter Security Firewalls, IDS

Network Security Segmentation, Secure W-LAN , IPSec, DMZ

Host Security Server Hardening, Client Hardening, Patch Management, Anti-virus, Distributed Firewalls

Application Security IIS hardening, Exchange Hardening, SQL Server hardening,

Attacks are focusing on applications

Sources: IBM X-Force, 2008

Operating system vs browser and application vulnerabilities

90% of vulnerabilities are remotely exploitableFrom the Microsoft Security Intelligence Report V7

Sources: Sept 2009 Report with data from TippingPoint IPS and vulnerability data by Qualys.

Importance of Application Security

• Web applications have largest number of vulnerabilities.

Web Applications Complexity• Very complex architectures, multiple platforms and

protocols

Browser

Web Servers

Presentation Layer

Media Store

Database Server

Customer Identification

Access Controls

Transaction Information

Core Business Data

Wireless

Web Services

Application Server

Business Logic

Content Services

Network

HTTP

Web Application

Web Applications Breach Perimeter

Internet DMZ Trusted Inside

Corporate Inside

HTTP(S)

Allows HTTP port 80

Allows HTTPS port 443

Firewall only allows applications on the web server to talk to application server.

Firewall only allows application server to talk to database server.

IIS

Apache

ASP.NET

WebSphereJava

MS-SQL

Oracle

DB2

Browser

OWASP Top 10 ThreatsApplication Threat Negative Impact Example Impact

Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system

Hackers can access backend database information, alter it or steal it.

Broken Authentication & Session Management

Session tokens not guarded or invalidated properly

Hacker can “force” session token on victim; session tokens can be stolen after logout

Cross Site scripting Identity Theft, Sensitive Information Leakage, …

Hackers can impersonate legitimate users, and control their accounts.

Insecure Direct Object Reference Attacker can access sensitive files and resources

Web application returns contents of sensitive file (instead of harmless one)

Security Misconfiguration Attackers can gain detailed system information

Malicious system investigation may assist in developing further attacks

Sensitive Data Exposure Sensitive info sent unencrypted over insecure channel

Unencrypted credentials “sniffed” and used by hacker to impersonate user

Missing Function Level Access Control Attacker can access unauthorized resources

Hacker can forcefully browse and access a page past the login page

Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user

Blind requests to bank account transfer money to hacker

Using Components with Known Vulnerabilities

Attacker can exploit vulnerable component to gain access to system

Attacker can do data loss and also perform server takeover.

Unvalidated Redirects and Forwards Attacker can redirects victims to phishing sites

Attacker can redirects victims to phishing or malware sites or use forwards to access unauthorized pages

DEMOOWASP Top 10 Threats (Project: WebGoat)

Security Professional

“As a Network Security Professional, I don’t know how my companies web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.”

Application Developers and QA

“As an Application Developer, I can build/test great features and functions while meeting deadlines, but I don’t know how to develop/test my web application with security as a feature.”

Industry Gap

Bridging The Gap-Step by Step

• Prioritize application security as important non functional requirement

• Improve awareness of application security in developers and QAs.

• Incorporate security in SDLC.• Define clear role and responsibility towards application

security• Promote Penetration testing of application

Education

Accountability

Administer and track security training

IncidentResponse (MSRC)

Establish release criteria and sign-off

as part of FSR

Ongoing Process Improvements

Process

Guide product teams to meet SDL requirements

Microsoft Security Development Lifecycle

Source: Windows Vista One Year Vulnerability Report, Microsoft Security Blog 23 Jan 2008

Windows XP Windows Vista OS I OS II OS III

119

66

400

242

157

Before SDL After SDL

45% reduction in Vulnerabilities

Total Vulnerabilities Disclosed One Year After Release

Measurable results: Microsoft SDL and Windows

Sources: Analysis by Jeff Jones (Microsoft technet security blog)

SQL Server 2000 SQL Server 2005 Competing commercial DB

34

3

187

Before SDL After SDL

91% reduction in Vulnerabilities

Total Vulnerabilities Disclosed 36 Months After Release

Measurable results: Microsoft SDL and SQL Server

DEMOMicrosoft Security Assessment Tool 4.0

Resources• OWASP (Open Web Application Security Project):

https://www.owasp.org

• Microsoft Security:

http://www.microsoft.com/security

http://www.Microsoft.com/sdl

http://msdn.microsoft.com/en-us/library/ff650760.aspx

• Wikipedia:

http://en.wikipedia.org/wiki/Application_security

.

This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at

http://creativecommons.org/licenses/by-nc-sa/4.0/

All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation.

Lalit Kalelalitkale@gmail.com

http://lalitkale.wordpress.com