This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover broader aspects of Application Security basics. This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.

1. Application Security-I
Understanding The Horizon
Lalit Kale
lalitkale@gmail.com
http://lalitkale.wordpress.com

2. Overview
•
Introduction
•
Foundations of Security
•
Layered Security Approach
•
Importance of Application Security
•
OWASP Top 10 Threats
•
Industry Gap
•
Bridging The Gap-Step by Step
•
Microsoft Security Lifecycle Development (MS-SDL)
•
Measurable results of applying MS-SDL
•
Resources

3. Movie- Ocean Eleven

4. DEMO
Simple website hacking

5. Why you should know hacking?
•
Developers need to hone their cyber-offence skills
•
•
Hack your own website
•
•
If you can’t think like hacker, it's difficult to defend against them
First website security assessment
Defense in depth
•
Fix multiple security flaws that would otherwise have been single point of
failure

6. Who are hackers?
•
Ethical Hackers/Hactivists
•
•
Cyber Criminals
•
•
Motivated for higher cause
Motivated for financial gain, identity theft, malicious intentions
Nation States
•
Cyber warfare for national security and political interest

7. Hacker Targets
•
Enterprise Websites/Portals
•
Financial Websites/Portals
•
Government Websites/Portals
•
Social Media Websites/Portals

8. Common Myth
App Server
Web Server
Hardened OS
Billing
Human Resrcs
Directories
APPLICATION
ATTACK
Web Services
Custom Developed
Application Code
Legacy Systems
Your security “perimeter” has huge
holes at the application layer
Databases
Application Layer
We are secure since we have a firewall !
Firewall
Firewall
Network Layer
•
You can’t use
network layer
protection
(firewall, SSL, IDS,
hardening)
to stop or detect
application layer
attacks

9. Man in Middle Attack

10. Common Sources of Untrusted Data
• User
• In URL via a query string or route
• Posted via a form
• Browser
• Cookies
• Request Headers
• Other
• External Services
• Your own database!

11. Building A Risk Profile
•
Attackers wants to understand as much as possible about the
website in order to find out vulnerabilities in website. So analyzes
What are points of untrusted data entry?
• What sanitation practices have been employed?
• What framework and libraries the website is running on?
• What can be discovered about site structure?
• What can be used from “view source” option of browsers?
• Are there any useful internal error messages up to the browser?
• Are there sufficient access controls on diagnostic data?
•

12. Data Breaches of 2012

13. Cybercrime Evolution
1986–1995
• LANs
• First PC virus
• Motivation: damage
1995–2003
• Internet Era
• “Big Worms”
• Motivation: damage
Cost of U.S. cybercrime:
About $70B
2004+
2006+
• OS, DB attacks
• Spyware, Spam
• Motivation: Financial
• Targeted attacks
• Social engineering
• Financial + Political
2007 Market Prices
Credit Card Number
$0.50 - $20
Full Identity
$1 - $15
Bank Account
$10 - $1000
Source: U.S. Government Accountability Office (GAO), FBI

14. Evolving Threats

15. Information security, is the practice of
defending information from unauthorized
access, use, disclosure, disruption, modification,
perusal, inspection, recording or destruction.”

16. Foundations of Application Security
•
Authentication= (Who are you?)
•
Authorization=(What can you do?)
•
Auditing(Non-repudiation) =Can not deny your action
•
Confidentiality(Privacy)=Data remains private and confidential
•
Integrity=Data is protected
•
Availability=System remains available

17. Layered Security Approach
Physical Security
Controlled Access, electronic surveillance ,video surveillance, security personnel
Perimeter Security
Firewalls, IDS
Network Security
Segmentation, Secure W-LAN , IPSec, DMZ
Host Security
Server Hardening, Client Hardening, Patch Management, Anti-virus, Distributed
Firewalls
Application
Security
IIS hardening, Exchange Hardening, SQL Server hardening,

18. Attacks are focusing on applications
Operating system vs browser and application vulnerabilities
90% of
vulnerabilities
are remotely
exploitable
From the Microsoft Security Intelligence Report V7
Sources: IBM X-Force, 2008

19. Importance of Application Security
•
Web applications have largest number of vulnerabilities.
Sources: Sept 2009 Report with data from TippingPoint IPS and vulnerability data by Qualys.

20. Web Applications Complexity
•
Very complex architectures, multiple platforms and protocols
Web Application
HTTP
Web Services
Network
Application
Server
Database Server
Presentation
Layer
Wireless
Web Servers
Business Logic
Customer
Identification
Media Store
Browser
Content Services
Access Controls
Transaction
Information
Core Business
Data

21. Web Applications Breach Perimeter
Internet
IIS
Apache
Trusted
Inside
DMZ
ASP
.NET
WebSphere
Java
MS-SQL
Oracle
DB2
HTTP(S)
Browser
Allows HTTP port 80
Allows HTTPS port 443
Firewall only
allows
applications
on the web
server to talk to
application
server.
Firewall only allows
application server
to talk to database
server.
Corporate
Inside

22. OWASP Top 10 Threats
Application Threat
Negative Impact
Example Impact
Injection Flaws
Attacker can manipulate queries to the DB /
LDAP / Other system
Hackers can access backend database information, alter it or steal
it.
Broken Authentication & Session Management
Session tokens not guarded or invalidated
properly
Hacker can “force” session token on victim; session tokens can be
stolen after logout
Cross Site scripting
Identity Theft, Sensitive Information Leakage,
…
Hackers can impersonate legitimate users, and control their
accounts.
Insecure Direct Object Reference
Attacker can access sensitive files and
resources
Web application returns contents of sensitive file (instead of
harmless one)
Security Misconfiguration
Attackers can gain detailed system
information
Malicious system investigation may assist in developing further
attacks
Sensitive Data Exposure
Sensitive info sent unencrypted over insecure
channel
Unencrypted credentials “sniffed” and used by hacker to
impersonate user
Missing Function Level Access Control
Attacker can access unauthorized resources
Hacker can forcefully browse and access a page past the login
page
Cross-Site Request Forgery
Attacker can invoke “blind” actions on web
applications, impersonating as a trusted user
Blind requests to bank account transfer money to hacker
Using Components with Known Vulnerabilities
Attacker can exploit vulnerable component
to gain access to system
Attacker can do data loss and also perform server takeover.
Unvalidated Redirects and Forwards
Attacker can redirects victims to phishing sites
Attacker can redirects victims to phishing or malware sites or use
forwards to access unauthorized pages

23. DEMO
OWASP Top 10 Threats (Project: WebGoat)

24. Industry Gap
Security Professional
Application Developers and QA
“As a Network Security Professional, I
don’t know how my companies web
applications are supposed to work so I
deploy a protective solution…but
don’t know if it’s protecting what it’s
supposed to.”
“As an Application Developer, I can
build/test great features and functions
while meeting deadlines, but I don’t
know how to develop/test my web
application with security as a feature.”

25. Bridging The Gap-Step by Step
•
•
•
•
•
Prioritize application security as important non functional
requirement
Improve awareness of application security in developers and QAs.
Incorporate security in SDLC.
Define clear role and responsibility towards application security
Promote Penetration testing of application

26. Microsoft Security Development Lifecycle
Education
Administer and track
security training
Process
Guide product teams to
meet SDL requirements
Accountability
Establish release criteria and
sign-off as part of FSR
Ongoing Process Improvements
Incident
Response
(MSRC)

27. Measurable results: Microsoft SDL and
Windows
400
Total Vulnerabilities
Disclosed One Year
After Release
242
157
119
66
Windows XP
Before SDL
Windows Vista
OS I
After SDL
45% reduction in Vulnerabilities
Source: Windows Vista One Year Vulnerability Report, Microsoft Security Blog 23 Jan 2008
OS II
OS III

28. Measurable results: Microsoft SDL and SQL
Server
187
Total Vulnerabilities Disclosed
36 Months After Release
34
3
SQL Server 2000
Before SDL
91% reduction in Vulnerabilities
Sources: Analysis by Jeff Jones (Microsoft technet security blog)
SQL Server 2005
After SDL
Competing commercial DB

29. DEMO
Microsoft Security Assessment Tool 4.0

30. Resources
•
OWASP (Open Web Application Security Project):
https://www.owasp.org
•
Microsoft Security:
http://www.microsoft.com/security
http://www.Microsoft.com/sdl
http://msdn.microsoft.com/en-us/library/ff650760.aspx
•
Wikipedia:
http://en.wikipedia.org/wiki/Application_security

32. Lalit Kale
lalitkale@gmail.com
http://lalitkale.wordpress.com
.
This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at http://creativecommons.org/licenses/by-nc-sa/4.0/
All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation.