This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover broader aspects of Application Security basics. This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
2. Overview
•
Introduction
•
Foundations of Security
•
Layered Security Approach
•
Importance of Application Security
•
OWASP Top 10 Threats
•
Industry Gap
•
Bridging The Gap-Step by Step
•
Microsoft Security Lifecycle Development (MS-SDL)
•
Measurable results of applying MS-SDL
•
Resources
5. Why you should know hacking?
•
Developers need to hone their cyber-offence skills
•
•
Hack your own website
•
•
If you can’t think like hacker, it's difficult to defend against them
First website security assessment
Defense in depth
•
Fix multiple security flaws that would otherwise have been single point of
failure
6. Who are hackers?
•
Ethical Hackers/Hactivists
•
•
Cyber Criminals
•
•
Motivated for higher cause
Motivated for financial gain, identity theft, malicious intentions
Nation States
•
Cyber warfare for national security and political interest
8. Common Myth
App Server
Web Server
Hardened OS
Billing
Human Resrcs
Directories
APPLICATION
ATTACK
Web Services
Custom Developed
Application Code
Legacy Systems
Your security “perimeter” has huge
holes at the application layer
Databases
Application Layer
We are secure since we have a firewall !
Firewall
Firewall
Network Layer
•
You can’t use
network layer
protection
(firewall, SSL, IDS,
hardening)
to stop or detect
application layer
attacks
10. Common Sources of Untrusted Data
• User
• In URL via a query string or route
• Posted via a form
• Browser
• Cookies
• Request Headers
• Other
• External Services
• Your own database!
11. Building A Risk Profile
•
Attackers wants to understand as much as possible about the
website in order to find out vulnerabilities in website. So analyzes
What are points of untrusted data entry?
• What sanitation practices have been employed?
• What framework and libraries the website is running on?
• What can be discovered about site structure?
• What can be used from “view source” option of browsers?
• Are there any useful internal error messages up to the browser?
• Are there sufficient access controls on diagnostic data?
•
15. Information security, is the practice of
defending information from unauthorized
access, use, disclosure, disruption, modification,
perusal, inspection, recording or destruction.”
16. Foundations of Application Security
•
Authentication= (Who are you?)
•
Authorization=(What can you do?)
•
Auditing(Non-repudiation) =Can not deny your action
•
Confidentiality(Privacy)=Data remains private and confidential
•
Integrity=Data is protected
•
Availability=System remains available
18. Attacks are focusing on applications
Operating system vs browser and application vulnerabilities
90% of
vulnerabilities
are remotely
exploitable
From the Microsoft Security Intelligence Report V7
Sources: IBM X-Force, 2008
19. Importance of Application Security
•
Web applications have largest number of vulnerabilities.
Sources: Sept 2009 Report with data from TippingPoint IPS and vulnerability data by Qualys.
20. Web Applications Complexity
•
Very complex architectures, multiple platforms and protocols
Web Application
HTTP
Web Services
Network
Application
Server
Database Server
Presentation
Layer
Wireless
Web Servers
Business Logic
Customer
Identification
Media Store
Browser
Content Services
Access Controls
Transaction
Information
Core Business
Data
21. Web Applications Breach Perimeter
Internet
IIS
Apache
Trusted
Inside
DMZ
ASP
.NET
WebSphere
Java
MS-SQL
Oracle
DB2
HTTP(S)
Browser
Allows HTTP port 80
Allows HTTPS port 443
Firewall only
allows
applications
on the web
server to talk to
application
server.
Firewall only allows
application server
to talk to database
server.
Corporate
Inside
22. OWASP Top 10 Threats
Application Threat
Negative Impact
Example Impact
Injection Flaws
Attacker can manipulate queries to the DB /
LDAP / Other system
Hackers can access backend database information, alter it or steal
it.
Broken Authentication & Session Management
Session tokens not guarded or invalidated
properly
Hacker can “force” session token on victim; session tokens can be
stolen after logout
Cross Site scripting
Identity Theft, Sensitive Information Leakage,
…
Hackers can impersonate legitimate users, and control their
accounts.
Insecure Direct Object Reference
Attacker can access sensitive files and
resources
Web application returns contents of sensitive file (instead of
harmless one)
Security Misconfiguration
Attackers can gain detailed system
information
Malicious system investigation may assist in developing further
attacks
Sensitive Data Exposure
Sensitive info sent unencrypted over insecure
channel
Unencrypted credentials “sniffed” and used by hacker to
impersonate user
Missing Function Level Access Control
Attacker can access unauthorized resources
Hacker can forcefully browse and access a page past the login
page
Cross-Site Request Forgery
Attacker can invoke “blind” actions on web
applications, impersonating as a trusted user
Blind requests to bank account transfer money to hacker
Using Components with Known Vulnerabilities
Attacker can exploit vulnerable component
to gain access to system
Attacker can do data loss and also perform server takeover.
Unvalidated Redirects and Forwards
Attacker can redirects victims to phishing sites
Attacker can redirects victims to phishing or malware sites or use
forwards to access unauthorized pages
24. Industry Gap
Security Professional
Application Developers and QA
“As a Network Security Professional, I
don’t know how my companies web
applications are supposed to work so I
deploy a protective solution…but
don’t know if it’s protecting what it’s
supposed to.”
“As an Application Developer, I can
build/test great features and functions
while meeting deadlines, but I don’t
know how to develop/test my web
application with security as a feature.”
25. Bridging The Gap-Step by Step
•
•
•
•
•
Prioritize application security as important non functional
requirement
Improve awareness of application security in developers and QAs.
Incorporate security in SDLC.
Define clear role and responsibility towards application security
Promote Penetration testing of application
26. Microsoft Security Development Lifecycle
Education
Administer and track
security training
Process
Guide product teams to
meet SDL requirements
Accountability
Establish release criteria and
sign-off as part of FSR
Ongoing Process Improvements
Incident
Response
(MSRC)
27. Measurable results: Microsoft SDL and
Windows
400
Total Vulnerabilities
Disclosed One Year
After Release
242
157
119
66
Windows XP
Before SDL
Windows Vista
OS I
After SDL
45% reduction in Vulnerabilities
Source: Windows Vista One Year Vulnerability Report, Microsoft Security Blog 23 Jan 2008
OS II
OS III
28. Measurable results: Microsoft SDL and SQL
Server
187
Total Vulnerabilities Disclosed
36 Months After Release
34
3
SQL Server 2000
Before SDL
91% reduction in Vulnerabilities
Sources: Analysis by Jeff Jones (Microsoft technet security blog)
SQL Server 2005
After SDL
Competing commercial DB
30. Resources
•
OWASP (Open Web Application Security Project):
https://www.owasp.org
•
Microsoft Security:
http://www.microsoft.com/security
http://www.Microsoft.com/sdl
http://msdn.microsoft.com/en-us/library/ff650760.aspx
•
Wikipedia:
http://en.wikipedia.org/wiki/Application_security
31.
32. Lalit Kale
lalitkale@gmail.com
http://lalitkale.wordpress.com
.
This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at http://creativecommons.org/licenses/by-nc-sa/4.0/
All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation.
Social engineering. Many attacks attempt to appear as if they originated from a system administrator or official service, increasing the likelihood that end users will execute them and infect their systems.Trojan horse. A program that appears to be useful or harmless but that contains hidden code designed to exploit or damage the system on which it is run. Trojan horse programs are most commonly delivered to users through e-mail messages that misrepresent the program's purpose and function. Also called Trojan code. A Trojan horse does this by delivering a malicious payload or task when it is run.Worm. A worm uses self-propagating malicious code that can automatically distribute itself from one computer to another through network connections. A worm can take harmful action, such as consuming network or local system resources, possibly causing a denial of service attack. Some worms can execute and spread without user intervention, while others require users to execute the worm code directly in order to spread. Worms may also deliver a payload in addition to replicating.Virus. A virus uses code written with the express intention of replicating itself. A virus attempts to spread from computer to computer by attaching itself to a host program. It may damage hardware, software, or data. When the host is executed, the virus code also runs, infecting new hosts and sometimes delivering an additional payload.
- Now we no longer have websites, we have web applications - Web applications reside on multiple systems in distributed architectures - Three tiers (presentation, logic, data) - Use sophisticated programming languages and architectures - Corporate and customer data moved to the computing edge - Edge extended to cellphones, pda’s, mobile sales force solutions, inventory management systems, etc.
There is a lack of awareness of application vulnerabilities in security departments.Security Departments scrutinize the desktop, the network, and even the web servers, but the web application escapes their measures. Even in departments that want to audit for web application vulnerabilities, the lack of effective tools has made it impractical As a result, Certification and Accreditation programs rarely examine the web applicationIn fact, the entire development cycle is usually missing from security procedures and controlsThis illustrates the fundamental gap between security and development, which creates these web application vulnerabilitiesMany traditional information security practitioners are ill-equipped tomitigate application security issues– Little to no experience coding– No experience coding in “modern” enterprise environments like .NET and J2EE– Understand that there are risks, but not in a position to address them