Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more...
Transcript of Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more...
![Page 1: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c788e7e708231d435911a/html5/thumbnails/1.jpg)
Securing the New Breed of Web Applications
Dave Ferguson
Solution Architect, Application Security SME
![Page 2: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c788e7e708231d435911a/html5/thumbnails/2.jpg)
Web Application Security
Often overlooked or neglected
Regulatory compliance
Reduce risk / due diligence
Contract language may include application
security
But how to assure your applications are secure?
2
![Page 3: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c788e7e708231d435911a/html5/thumbnails/3.jpg)
Application Testing Approaches
3
Dynamic Analysis
Static Code Analysis
Manual penetration testing
![Page 4: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c788e7e708231d435911a/html5/thumbnails/4.jpg)
In the Beginning
4
Server-side Includes
CGIClassic ASP
Java servlets / JSPs
Static site / HTML 4
ASP.NET
1995
1996
1997
1998
1999
2000
2001
2002
ColdFusion
PHP
![Page 5: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c788e7e708231d435911a/html5/thumbnails/5.jpg)
Web 2.0
5
2002
2003
2004
2005
2006
2007
2008
2009
Dynamic HTML
AJAX
JSON
Flash/Flex
Silverlight
JavaFX
Mashups
![Page 6: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c788e7e708231d435911a/html5/thumbnails/6.jpg)
The New Breed of Web Apps
6
2009
2010
2011
2012
2013
2014
2015
2016
HTML5
AngularJS
WebSocket
Single Page Apps
GWT REST APIsURL Rewriting
Backbone JSExt JS
![Page 7: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c788e7e708231d435911a/html5/thumbnails/7.jpg)
Challenges for Dynamic Scanners
Web Applications
Crawling must be more intelligent
Can't simply parse HTML to find links or forms
Identify JavaScript events to "fire" them
Determine injection points in URL rewriting
REST APIs
Commonly used as backend for mobile apps
Crawling concept does not apply
Tool must know how to invoke the service endpoints
7
![Page 8: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c788e7e708231d435911a/html5/thumbnails/8.jpg)
Responding to the Challenge
8
![Page 9: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c788e7e708231d435911a/html5/thumbnails/9.jpg)
Dynamic Test Tools Are Evolving
Automation is critical (resources are scarce!)
Many scanners adapting to the new web technologies
Also testing for new types of web vulnerabilities
Test coverage remains vital
Tool should be able to authenticate to the system
Tool should be able to crawl web apps, even with new JS framework
Tool should support URL rewriting
Tool should support REST APIs
9
![Page 10: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c788e7e708231d435911a/html5/thumbnails/10.jpg)
SDLC
10
![Page 11: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c788e7e708231d435911a/html5/thumbnails/11.jpg)
Application Security Program
AppSec Center of Excellence
Maintain secure coding guidelines/standards
Organize security training for developers
Manage testing activities
Confirm 3rd-party libraries are not vulnerable
Track metrics to demonstrate improvement
OpenSAMM (www.opensamm.org)
BSIMM (www.bsimm.com)
11
![Page 12: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c788e7e708231d435911a/html5/thumbnails/12.jpg)
Software Assurance Maturity Model
12
![Page 13: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c788e7e708231d435911a/html5/thumbnails/13.jpg)
Security in the SDLC
Define security requirements
Maintain an inventory of applications
Scan apps early and often in the dev lifecycle
Leverage scan tool APIs to automate testing
Perform application threat modeling
Require secure code training for developers
Leverage the security features of development frameworks
13
![Page 14: Securing the New Breed of Web Applications · 2017-03-03 · Web Applications Crawling must be more intelligent Can't simply parse HTML to find links or forms Identify JavaScript](https://reader033.fdocuments.in/reader033/viewer/2022060318/5f0c788e7e708231d435911a/html5/thumbnails/14.jpg)
Thank You