Guest lecture on web application security, presented to students at the Indianapolis campus of The Iron Yard on November 9, 2016. This presentation was a basic overview/introduction to security, discussed the CIA Triad, why security is difficult, what happens if we don't do security right, what developers can do to enhance security, and included a brief overview of the OWASP Top Ten.
2. Agenda
• Who are you/Who am I?
• What is OurHealth?
• What is security/What is Information Security?
• Why is security difficult?
• What happens if we don't do security right?
• What can developers do to enhance security?
• Questions?
• If I only leave you with three things...
3. Who am I?
• Noah G. Jaehnert - Director of Information Security at OurHealth
• Email: njaehnert@ourhealth.org,Twitter: @njaehner
• LinkedIn: https://www.linkedin.com/in/noahjaehnert
• Previous experience:
• Security Architecture Program Manager/Enterprise Security Strategist –
• Senior Information Security Consultant –
• Enterprise Architect –
• Technical Engineer –
4. Who am I?
• Awards/Honors:
• 2015 and 2016 Cisco Champion for Security!
• 2015 America’s Information Security Leadership Award (AISLA) winner - Up and Coming
Information Security Professional
• Certifications Include:
• Other Interests:
• Photography
• Skiing
• Volunteer as a Firefighter/EMT (a different side of Risk Management)
*In Progress
7. What is security?
• Security is the degree of resistance to, or protection from, harm.
• It applies to any vulnerable and valuable asset, such as a person, dwelling,
community, item, nation, or organization.
• As noted by the Institute for Security and Open Methodologies (ISECOM) in
their Open Source SecurityTesting Methodology Manual (SSTMM),
security provides:
• A form of protection where a separation is created between the assets and the
threat
• These separations are generically called "controls," and sometimes include
changes to the asset or the threat
8. Components of Security
• The Certified Information Systems Security Professional (CISSP)
certification requires knowledge of the following domains/areas:
• Access Control
• Application Development Security
• Business Continuity and Disaster Recovery Planning
• Cryptography
• Information Security Governance and Risk Management
• Legal regulations, investigations, and compliance
• Operations Security
• Physical and Environmental Security
• SecurityArchitecture and Design
• Telecommunications and Network Security
9. What Is Information Security?
• The protection of information and its critical elements, including the
systems and hardware that use, store, and transmit that information
• Tools, such as policy, awareness, training, education, and technology
are necessary to support the overall protection of information and
systems
• The C.I.A. triangle was created as a standard to provide guidance on
protecting information and systems
12. Basics of Information Security:
CIA
• Confidentiality – Information, systems, and/or data are not made available or
disclosed to unauthorized individuals, entities, or processes
• Integrity – Information, systems, and/or data are accurate and complete over their
entire lifecycle. This means they cannot be modified in an unauthorized or
undetected manner.
• Availability – Information, systems, and/or data must be available when it needed.
This means that the systems used to store and process the information, the security
controls used to protect it, and the communication channels used to access it must
be functioning correctly
16. What happens if we don’t do security right?
Source: 2016 Verizon Data Breach Investigation Report
• Gray bars indicate the corresponding figure from the DBIR report for 2015.
• Web application attacks accounted for the greatest percentage of attacks that resulted in breaches
• Increased almost fivefold from 2015!
17. What can developers do to enhance security?
• Build it into what you do!
• A plethora of resources for developers on building secure applications are
available from the OpenWeb Application Security Project (OWASP).OWASP is:
• The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-
profit charitable organization focused on improving the security of software.
• OWASP’s mission is to make software security visible, so that individuals and
organizations are able to make informed decisions.
• OWASP is in a unique position to provide impartial, practical information about AppSec
to individuals, corporations, universities, government agencies and other organizations
worldwide. Operating as a community of like-minded professionals, OWASP issues
software tools and knowledge-based documentation on application security.
18. What can developers do to enhance security?
• There is an IndianapolisOWASP Chapter that meets quarterly.
• I HIGHLY encourage you attend, because:
• There are great presentations on relevant security topics
• It is an awesome networking opportunity
• Dinner (and sometimes drinks) provided free by a sponsor
• Next meeting: TBD Q4 2016.
• Visit the Indy OWASP Meetup page for details:
http://www.meetup.com/indyowasp/
19. About the OWASP Top 10
• Not a standard…
OWASP Top 10 is an Awareness Document
• Was probably 3rd or 4th OWASP project, after
• Developers Guide
• WebGoat
• Maybe WebScarab ??
First developed in 2003
• 2003, 2004, 2007, 2010, 2013
Released
21. What Didn’t Change
• Title is: “The Top 10 Most Critical Web Application
Security Risks”
It’s About Risks, Not Just Vulnerabilities
• Based on the OWASP Risk Rating Methodology, used
to prioritize Top 10
OWASP Top 10 Risk Rating Methodology
22. 2013-A1 – Injection
• Tricking an application into including unintended commands in the data sent to
an interpreter
Injection means…
• Take strings and interpret them as commands
• SQL, OS Shell, LDAP, XPath, Hibernate, etc…
Interpreters…
• Many applications still susceptible (really don’t know why)
• Even though it’s usually very simple to avoid
SQL injection is still quite common
• Usually severe. Entire database can usually be read or modified
• May also allow full database schema, or account access, or even OS level
access
Typical Impact
23. SQL Injection – Illustrated
Firewall
Hardened OS
Web Server
App Server
Firewall
Databases
LegacySystems
WebServices
Directories
HumanResrcs
Billing
Custom Code
APPLICATION
ATTACK
NetworkLayerApplicationLayer
Accounts
Finance
Administration
Transactions
Communication
KnowledgeMgmt
E-Commerce
Bus.Functions
HTTP
request
SQL
query
DB
Table
HTTP
respons
e
"SELECT * FROM
accounts WHERE
acct=‘’ OR 1=1--’"
1. Application presents a form to
the attacker
2. Attacker sends an attack in the
form data
3. Application forwards attack to
the database in a SQL query
Account Summary
Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
4. Database runs query
containing attack and sends
encrypted results back to
application
5. Application decrypts data as
normal and sends results to the
user
Account:
SKU:
Account:
SKU:
24. A1 – Avoiding Injection Flaws
• Avoid the interpreter entirely, or
• Use an interface that supports bind variables (e.g., prepared statements,
or stored procedures),
• Bind variables allow the interpreter to distinguish between code and
data
• Encode all user input before passing it to the interpreter
• Always perform ‘white list’ input validation on all user supplied input
• Always minimize database privileges to reduce the impact of a flaw
Recommendations
• For more details, read the
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
References
25. 2013-A2 – Broken
Authentication and Session
Management
• Means credentials have to go with every request
• Should use SSL for everything requiring authentication
HTTP is a “stateless” protocol
• SESSION ID used to track state since HTTP doesn’t
• and it is just as good as credentials to an attacker
• SESSION ID is typically exposed on the network, in browser, in logs, …
Session management flaws
• Change my password, remember my password, forgot my password, secret
question, logout, email address, etc…
Beware the side-doors
• User accounts compromised or user sessions hijacked
Typical Impact
26. Broken Authentication Illustrated
Custom Code
Accounts
Finance
Administration
Transactions
Communication
Knowledge
Mgmt
E-Commerce
Bus.Functions
1 User sends credentials
2Site uses URL rewriting
(i.e., put session in URL)
3 User clicks on a link to http://www.hacker.com in
a forum
www.boi.com?JSESSIONID=9FA1DB9EA...
4
Hacker checks referrer logs on www.hacker.com
and finds user’s JSESSIONID
5 Hacker uses JSESSIONID and
takes over victim’s account
27. A2 – Avoiding Broken
Authentication and Session
Management
• Authentication should be simple, centralized, and standardized
• Use the standard session id provided by your container
• Be sure SSL protects both credentials and session id at all times
Verify your architecture
• Forget automated analysis approaches
• Check your SSL certificate
• Examine all the authentication-related functions
• Verify that logoff actually destroys the session
• Use OWASP’s WebScarab to test the implementation
Verify the implementation
• https://www.owasp.org/index.php/Authentication_Cheat_Sheet
Follow the guidance from
28. Summary: How do you address these
problems?
• Develop Secure Code
– Follow the best practices in OWASP’s Guide to Building Secure Web Applications
• https://www.owasp.org/index.php/Guide
• And the cheat sheets: https://www.owasp.org/index.php/Cheat_Sheets
– Use OWASP’s Application Security Verification Standard (ASVS) as a guide to what an application needs
to be secure: https://www.owasp.org/index.php/ASVS
– Use standard security components that are a fit for your organization
• Use OWASP’s ESAPI as a basis for your standard components:
https://www.owasp.org/index.php/ESAPI
• Review Your Applications
– Have an expert team review your applications
– Review your applications yourselves following OWASP Guidelines
• OWASP Code Review Guide: https://www.owasp.org/index.php/Code_Review_Guide
• OWASP Testing Guide: https://www.owasp.org/index.php/Testing_Guide
32. If I only leave you with three things:
1. WE CAN FIXTHIS!
2. Learn all you can about security. Build it into what you do, and
do it early and often throughout your projects. Don’t wait until
the end. Doing so makes it infinitely much harder to fix (and it
probably won’t ever be fixed).
3. Use the resources available to you, such asOWASP. Never be
afraid to ask (or Google, or Google then ask)!
33. Sources/Resources
• 2016Verizon Data Breach Investigation Report: http://www.verizonenterprise.com/verizon-
insights-lab/dbir/2016/
• Open Web Application Security Project (OWASP): https://www.owasp.org
• OWASP Cheat Sheets: https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series
• OWASP TopTen Project:
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
• OWASP TopTen 2013 (latest edition): https://storage.googleapis.com/google-code-archive-
downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf
• OWASP TopTen Slides (used in this presentation): https://storage.googleapis.com/google-
code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20-
%20Presentation.pptx
34. My contact information:
• If I can ever be a resource to you, please do not hesitate to reach out!
• Email: njaehnert@ourhealth.org
• Twitter: @njaehner
• LinkedIn: https://www.linkedin.com/in/noahjaehnert