Application Security-Understanding The Horizon
-
Upload
lalit-kale -
Category
Technology
-
view
3.432 -
download
1
description
Transcript of Application Security-Understanding The Horizon
Application Security-IUnderstanding The Horizon
Lalit Kale
http://lalitkale.wordpress.com
Overview• Introduction
• Foundations of Security
• Layered Security Approach
• Importance of Application Security
• OWASP Top 10 Threats
• Industry Gap
• Bridging The Gap-Step by Step
• Microsoft Security Lifecycle Development (MS-SDL)
• Measurable results of applying MS-SDL
• Resources
Movie- Ocean Eleven
DEMOSimple website hacking
Why you should know hacking?
• Developers need to hone their cyber-offence skills
• If you can’t think like hacker, it's difficult to defend against
them
• Hack your own website
• First website security assessment
• Defense in depth • Fix multiple security flaws that would otherwise have been
single point of failure
Who are hackers?
• Ethical Hackers/Hactivists
• Motivated for higher cause
• Cyber Criminals
• Motivated for financial gain, identity theft, malicious intentions
• Nation States
• Cyber warfare for national security and political interest
Hacker Targets
• Enterprise Websites/Portals
• Financial Websites/Portals
• Government Websites/Portals
• Social Media Websites/Portals
Common Myth• We are secure since we have a firewall !
Fire
wall
Hardened OS
Web Server
App Server
Fire
wall
Data
bases
Leg
acy
Syste
ms
Web
Serv
ices
Dir
ecto
ries
Hu
man
Resrc
s
Billin
g
Custom Developed Application Code
APPLICATION
ATTACK
You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks
Netw
ork
Layer
Ap
plicati
on
Layer
Your security “perimeter” has huge holes at the
application layer
Man in Middle Attack
Common Sources of Untrusted Data
• User
• In URL via a query string or route
• Posted via a form
• Browser
• Cookies
• Request Headers
• Other
• External Services
• Your own database!
Building A Risk Profile• Attackers wants to understand as much as possible
about the website in order to find out vulnerabilities in website. So analyzes
• What are points of untrusted data entry?• What sanitation practices have been employed?• What framework and libraries the website is running on?• What can be discovered about site structure?• What can be used from “view source” option of browsers?• Are there any useful internal error messages up to the
browser?• Are there sufficient access controls on diagnostic data?
Data Breaches of 2012
• LANs • First PC virus• Motivation:
damage
1986–1995
• Internet Era • “Big Worms”• Motivation:
damage
1995–2003
• OS, DB attacks• Spyware, Spam• Motivation:
Financial
2004+
• Targeted attacks• Social
engineering• Financial +
Political
2006+
2007 Market PricesCredit Card Number $0.50 - $20
Full Identity $1 - $15
Bank Account $10 - $1000
Cost of U.S. cybercrime:About $70B
Source: U.S. Government Accountability Office (GAO), FBI
Cybercrime Evolution
Evolving Threats
Information security, is the practice of defending information from unauthorized
access, use, disclosure, disruption, modification, perusal, inspection,
recording or destruction.”
Foundations of Application Security
• Authentication= (Who are you?)
• Authorization=(What can you do?)
• Auditing(Non-repudiation) =Can not deny your action
• Confidentiality(Privacy)=Data remains private and confidential
• Integrity=Data is protected
• Availability=System remains available
Layered Security Approach
Physical Security
Controlled Access, electronic surveillance ,video surveillance, security personnel
Perimeter Security Firewalls, IDS
Network Security Segmentation, Secure W-LAN , IPSec, DMZ
Host Security Server Hardening, Client Hardening, Patch Management, Anti-virus, Distributed Firewalls
Application Security IIS hardening, Exchange Hardening, SQL Server hardening,
Attacks are focusing on applications
Sources: IBM X-Force, 2008
Operating system vs browser and application vulnerabilities
90% of vulnerabilities are remotely exploitableFrom the Microsoft Security Intelligence Report V7
Sources: Sept 2009 Report with data from TippingPoint IPS and vulnerability data by Qualys.
Importance of Application Security
• Web applications have largest number of vulnerabilities.
Web Applications Complexity• Very complex architectures, multiple platforms and
protocols
Browser
Web Servers
Presentation Layer
Media Store
Database Server
Customer Identification
Access Controls
Transaction Information
Core Business Data
Wireless
Web Services
Application Server
Business Logic
Content Services
Network
HTTP
Web Application
Web Applications Breach Perimeter
Internet DMZ Trusted Inside
Corporate Inside
HTTP(S)
Allows HTTP port 80
Allows HTTPS port 443
Firewall only allows applications on the web server to talk to application server.
Firewall only allows application server to talk to database server.
IIS
Apache
ASP.NET
WebSphereJava
MS-SQL
Oracle
DB2
Browser
OWASP Top 10 ThreatsApplication Threat Negative Impact Example Impact
Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system
Hackers can access backend database information, alter it or steal it.
Broken Authentication & Session Management
Session tokens not guarded or invalidated properly
Hacker can “force” session token on victim; session tokens can be stolen after logout
Cross Site scripting Identity Theft, Sensitive Information Leakage, …
Hackers can impersonate legitimate users, and control their accounts.
Insecure Direct Object Reference Attacker can access sensitive files and resources
Web application returns contents of sensitive file (instead of harmless one)
Security Misconfiguration Attackers can gain detailed system information
Malicious system investigation may assist in developing further attacks
Sensitive Data Exposure Sensitive info sent unencrypted over insecure channel
Unencrypted credentials “sniffed” and used by hacker to impersonate user
Missing Function Level Access Control Attacker can access unauthorized resources
Hacker can forcefully browse and access a page past the login page
Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user
Blind requests to bank account transfer money to hacker
Using Components with Known Vulnerabilities
Attacker can exploit vulnerable component to gain access to system
Attacker can do data loss and also perform server takeover.
Unvalidated Redirects and Forwards Attacker can redirects victims to phishing sites
Attacker can redirects victims to phishing or malware sites or use forwards to access unauthorized pages
DEMOOWASP Top 10 Threats (Project: WebGoat)
Security Professional
“As a Network Security Professional, I don’t know how my companies web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.”
Application Developers and QA
“As an Application Developer, I can build/test great features and functions while meeting deadlines, but I don’t know how to develop/test my web application with security as a feature.”
Industry Gap
Bridging The Gap-Step by Step
• Prioritize application security as important non functional requirement
• Improve awareness of application security in developers and QAs.
• Incorporate security in SDLC.• Define clear role and responsibility towards application
security• Promote Penetration testing of application
Education
Accountability
Administer and track security training
IncidentResponse (MSRC)
Establish release criteria and sign-off
as part of FSR
Ongoing Process Improvements
Process
Guide product teams to meet SDL requirements
Microsoft Security Development Lifecycle
Source: Windows Vista One Year Vulnerability Report, Microsoft Security Blog 23 Jan 2008
Windows XP Windows Vista OS I OS II OS III
119
66
400
242
157
Before SDL After SDL
45% reduction in Vulnerabilities
Total Vulnerabilities Disclosed One Year After Release
Measurable results: Microsoft SDL and Windows
Sources: Analysis by Jeff Jones (Microsoft technet security blog)
SQL Server 2000 SQL Server 2005 Competing commercial DB
34
3
187
Before SDL After SDL
91% reduction in Vulnerabilities
Total Vulnerabilities Disclosed 36 Months After Release
Measurable results: Microsoft SDL and SQL Server
DEMOMicrosoft Security Assessment Tool 4.0
Resources• OWASP (Open Web Application Security Project):
https://www.owasp.org
• Microsoft Security:
http://www.microsoft.com/security
http://www.Microsoft.com/sdl
http://msdn.microsoft.com/en-us/library/ff650760.aspx
• Wikipedia:
http://en.wikipedia.org/wiki/Application_security
.
This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at
http://creativecommons.org/licenses/by-nc-sa/4.0/
All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation.
Lalit [email protected]
http://lalitkale.wordpress.com