Copyright © 2014, Oracle and/or its affiliates. All rights reserved.1

DILEEP KALIDINDI23rd June 2015

Securing Enterprise & Cloud Applications

Concept Mashup#Cryptography #CloudSecurity #SecureCoding #PenentrationTesting

About Me ..!!

Dileep Varma Kalidindi

Senior Engineer @Responsys (since Apr’14), Circles Team.

Fascination: Problem Solving , Distributed & BigData churning systems.

Past: 8+yrs with VeriSign, Informatica Labs, NTT Data.

As an Aam Admi (Not Jhadu wala app) - ? Had your (Digital) assets ever been hacked ?? How many phishing/malware emails do you have in your Gmail inbox ?

As a Cloud Product Engineer ? Application Security - What scares hell out of you.? Can you host Responsys Customer Credit cards information on some Oracle Cloud X

product.? Did you ever do a HotFix to fix a Security vulnerability in your code ? Do we have an explicit Secure coding check list & Security testing as part of Release

deliverables Absolute Security is a myth !!

What do you think ?

HeartBleed Bug at SSL/TLS – view data over HTTPS Open SSL 1.1 Encryption flaw – missing validation on a variable (length)

Data breach on Target, HomeDepot - POS system – 56m Creditcard details & 53m emails

APPLE ROT’s – Man in the middle attack through SSL encryption flaw – celebrity pictures exposed.

Drupal Boogey man – SQL Injection attack Facebook scams – 8,50,000 – cost in 2014 > 12.5 B$ 3rd party apps- Drop box passwords leaked, Snapchat images leaked Stuxnet, FLAME

Secure world – Reality – Top 2014 flaws

Agenda

Cyber Threats and Impact Crypto Concepts Cloud - Data security considerations Java Security Landscape Secure Coding practices Pen Testing DEMO

Attack landscape – basic identification Attacks – Secrecy (Stealing), Integrity (Phishing), Availability (DoS) & APT’s (persistent)

Attack vectors – path by which an attack takes places Kernal/Design flaws – Buffer overflow (Stack/heap) – Insufficient Input validation (Injection) – Misconfiguration – Symlinks – File Descriptors – Race conditions – Incorrect permissions – Social engineering.

Operational Impact Denial of Service – host/network/distributed, Installed Malware (Remote code), Web/Root/User compromise

Informational Impact Distort – Disrupt – Destruct – Disclosure & Discovery

Target SystemsOS (Kernal/user/Driver), Network, Application (Server, DB, Email, Web & Client)

Cryptography – Back to basics & concepts

May 2, 2023 7

Cryptography - Basics & Concepts

Security Goals• Data Integrity, Authentication, Non repudiation, Confidentiality & Trust• Deals with making communications and storage secure.

Encryption / Decryption• Encryption: clear-text message to cipher-text• Decryption: Cypher-text to clear-text

Types of encryption algorithms• Symmetric Key.• Asymmetric Key.

Cryptography - Hashes

Infeasible to reverse – 1 way encryption Variable-length input string to a short fixed-length binary sequence. Efficient – easy to compute, Infeasible to craft collisions Used for storage of passwords Algos– MD 5 128 bits (Broken),

SHA1 160b & SHA – 256 & 512 Attacks – Dictionary / Rainbow attacks – Hash collision Mitigation – Use random salts, SHA-256,2 factor auth

Symmetric Crypto - Overview

Symmetric – Same key used for encryption and decryption Need a mechanism to exchange the shared key securely. Key must be secret and safely stored. For Storage and secure transmission Key ciphers are efficient

Inexpensive in Strength, encryption/decryption Algos – DES, 3 DES, AES, RC4 Attack – Cryptanalysis & Key compromise Mitigation – secure key store

Asymmetric Crypto - Overview

Public key is published to all & Private key is a secret (to be stored) Encrypt with one key & decrypt with other Infeasible to compute private key from public key Smaller keys are efficient

Longer keys have higher crypto strength Secure Communications – Key exchange during session establishment – SSL, PGP & SSH Mechanisms – Digital Signatures & Certificates

Digital Signatures - Overview

Hashing & Asymmetric crypto Data is cleartext but Signature is hashed Alog – RSA/SHA-x, DSA Applications – PGP Signed emails,

- SSL Certs

Digital Certificates- Signatures + Chain of trust

Builds on Digital signature & PKI Certificate - Digitally signed public key

- Is Public & valid for a time- Certifie that pulic key identifies subject- Affixed with CA signature

Chain of trust with CA’s – VeriSign, Symantec

Data security considerations for Cloud

May 2, 2023 14

Cloud data security - Issues

Data security is crucial for enterprises and protection is vital for reputation. Cloud Computing adoption – major deterrent is Data Security Concern.

• Data moves out of enterprise boundaries• Trust on cloud providers• Shared infrastructure.

Benefits are compelling if comprehensive and non-intrusive data security. Top Cloud data security issues - Gartner

Xen Hypervisor virtualization bug Breach notification and data residency Encryption key management & resiliency of encryption system.

Cloud data security – Who is responsible

Encryption of data (sent to Cloud) is always a good practice Different level of providers for overall security Shared infrastructure can make a Security breach higher. API’s allow many admin functions – weakness in API can be catastrophic. Encryption layers: Higher level encryption can protect but hard (& in efficient)

Still who has the keys ? – provider Disks encrypted by provider – he can see the content File systems encrypted by provider – he can see file content !!

Manage your cloud

1-way hashes : Store passwords in db with 1-way hashes with salt for Apps hosted by you (in cloud).

Symmetric Crypto: Secure way to store uploaded data, sensitive personal information in databases, VM images,

emails etc. Encrypt sensitive data stores in database, search indexes in the apps provided by you.

Asymmetric crypto: Use HTTPS for all confidential exchanges Sign emails especially for input emails that trigger workflow action. Implement Certificate-based client authentication properly.

Cloud data security - trends

Hardware Security Modules (HSM) Cryptographic black box – input data comes out transformed (crypto) Secure & tamper – resistent storage for high – value keys

Cloud Encryption gateways

Fully homomorphic encryption (Advanced research)

Java Security Landscape

May 2, 2023 19

Security Overview - Java

Java platform at coreType safety, Auto GC, Secure class loading & Verification.

Basic principlesImplementation independence, interoperability & Algo extensibility.

Robust Bytecode verification and class loading. API’s to integrate Security into Java application code,

Cryptography, PKI (Public key infra), Authentication,Secure comm & Access control

Security model - evolution

JDK 1.0 – allowed trusted (in JVM) & untrusted Remote code in Sandbox (Applets)

JDK 1.1 – allowed trusted remotecode in JVM

Java 2 Platform Security Model

Security model

JVM View:

Security model – policy stages

Secure Class loading

PKI – Public Key Cryptography –Secure exchange of information  keys, certificates, public key encryption, and trusted Certification Authorities (CAs)

PKI tools – keytool, jarsigner Secure Communication – SSL / TLS, SASL, GSS-API & Kerbos

Other concepts:

Secure Coding Practices

May 2, 2023 25

Secure Coding – safeguard from Injection

Avoid Injection attacks – SQL Injection – Injecting SQL snippets into un-sanitized form fields. Regex Injection – Sanitize Regular expressions (in search fields) Log Injection – Do not log un-sanitized inputs

– Va

Coding errors are major cause of software vulnerabilities- 64% percent of 2500 in National Vulnerability database

Comprehensive list @

CERT Standards

Lets drive by code

Secure Coding – avoid Cross site scripting

XSS – injection of client side malicious script into Web pages through web requests or un-validated dynamic content.

Mozilla XSS-Me Demo Reflected (non-persistent) vs Persistent XSS attacks – Demo (http://testasp.vulnweb.com/search.asp )

• Injected through data in HTTP query params or form submissions • Non validated user supplied input in Response can cause this.• When user script input is stored in server it becomes Persistent attack. (Search user preferences)

XSS Prevention Model Use HTTPOnly flag on session cookie (to avoid access by any java script) Content security policy on browser side

– Va

Secure Coding – avoid Cross site scripting

Security Coding practices - Java

Prevent Denial of Service (Dos attacks) Avoid serving expensive requests (repeated large files download) Set limits for Entity expansions and attributes (with XML) - XMLConstants.FEATURE_SECURE_PROCESSING

Release all resources in all cases (finally block, or use try-with) Best practices for Input Validation & Data Sanitization

Do not trust contents of hidden form fields – Sanitize them !! Perform String modifications before validations – (Avoid XSS) – Java example

Object orientation security practices Compare Class not Class names

Source code analysis tools – BugScout, Pitbull SCC

– Va

Pen Testing

May 2, 2023 30

Penetration Testing

Method to evaluate security of our web application – active analysis for vulnerabilities

Hack your own application – before someone does !! Testing Phases – SetUp, Passive Phase & Active phase Attack Environment (SetUp)

Set-up a Simulator (With Firewalls, LB’s, Proxies and Production Config for appServers). Try to penentrate as a stranger without any privileges on resources.

What do we need ? Reconnaissance about the app Right tools (Plugins, Exploit frameworks, Crawlers) System to Hack & Mindset to Crack !!

– Va

Pen Testing – Passive

Reconnaissance – Know your target Determine application types & versions Refer to latest vulnerabilities with OSVDB / NVD Observe regular application behaviour – RI Advanced google searching Aka Google hacking https://pentest-tools.com/reconnaissance/google-hacking

Application mapping - https://pentest-tools.com Active Phase – attack plan

Business logic Authentication, Authorization & Session Management Data Validation & Denial of Service

– Va

Pen Testing – Tools

Fuzzing – Automated or semi-automated way to provide invalid, unexpected or random data to inputs of a computer program.

Required technique to find out SQL Injection, DDos & XSS Scripting attacks. Tools:

Exploit Frameworks - Metaspolit Web Proxy – BURP, Paros, Webscarab Fuzzing – WS Fuzzer Brute force – Brutus Password cracking- John the ripper Scanner – W3AF and Zap.

– Va

05/02/2023

34Confidential

References

Links & References• https

://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html#asserting_a_subset_of_privileges

• https://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html#ProviderArch

• https://www.securecoding.cert.org/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java

• https://pentest-tools.com• http://techbus.safaribooksonline.com/book/programming/java/0201787911•

05/02/2023

36

Q & A

Copyright © 2014, Oracle and/or its affiliates. All rights reserved.37

Thank you

APPENDIX