You want to start integrating security in your web application project but you don't know where to start and don't have access to software security professionals. What are the "cheapest" while very efficient activities that you can already do by yourself? Agenda: -Understanding the need for information security and privacy -Secure design: key principles -Threat modeling and analysis: building your first threat model and identifying the major risks in your web application - Testing the security of your web application - Understanding the big picture: what is a secure SDLC - Cheap and efficient security activities that might be started immediatly in your SDLC

1. Web application securitythe first steps towards a secure SDLC Antonio FontesOWASP Geneva Chapter Leader Confoo ConferenceMarch 11th 2010, Montreal, CA

2. (coward) disclaimer We haven’t found the solution, yet. Most methodologies are v.1.x and getting continuous improvements. You might need more than one point of view 2 Antonio Fontes / Confoo Conference, Montreal / 2010

3. Agenda - Context Sometheory Security expectations in software Identifyingthreats and theircountermeasures Cowardstrategy A case study Conclusion 3 Antonio Fontes / Confoo Conference, Montreal / 2010

4. About me Antonio Fontes, from Geneva (Switzerland) >1999: Web developer >2005: Ethical hacker / Security analyst >2008: Security & Privacy manager (banking software ISV) >2008: OWASP Geneva Chapter Leader >2010: Information Security Consultant SANS/CWE Top 25 Most Dangerous Programming Errors contributor 4 Antonio Fontes / Confoo Conference, Montreal / 2010

5. About you? Coders? Testers? Managers? Ninjas?

6. First things first: THEORY 6 Antonio Fontes / Confoo Conference, Montreal / 2010

7. 80-20 rule Also applies to information security SQL injections Authentication & session management OWASP Top 10 7 Antonio Fontes / Confoo Conference, Montreal / 2010 OWASP ASVS

8. what does “secure” mean? 8 Antonio Fontes / Confoo Conference, Montreal / 2010

9. Security & Privacy contract 1st assurance: CONFIDENTIALITY ”Data is protected from unauthorized access.” 2nd assurance: INTEGRITY ”Data is true and actual.” 3rd assurance: AVAILABILITY ”Legitimate requests get answers in legitimate time.” 4th assurance: TRACEABILITY ”You can reconstruct a trustworthy history of any user’s interactions with your application.” 9 Antonio Fontes / Confoo Conference, Montreal / 2010

10. Security & Privacy contract 5th assurance: PRIVACY ”Personal data is protected both from unauthorized access but also from unnecessary access.” 6th assurance: COMPLIANCE ”Data is collected, processed, accessed,stored, archived and destroyed in accordance with Law.” 7th assurance: REPUTATION ”Security incidents that might potentially occur won’t harm the organization’s reputation.” 10 Antonio Fontes / Confoo Conference, Montreal / 2010 These are what your boss understands! The 5 others are what you really need to solve ;)

11. the threat “Nobody wants to hack us.” 11 Antonio Fontes / Confoo Conference, Montreal / 2010

12. Who are your threat agents? Dumbguy Show-off guy « I killyou!» guy Organized crime But also… Competition Governments 12 Antonio Fontes / Confoo Conference, Montreal / 2010 Lower effort Higher effort

13. Security features vs. secure features Checklists already solve common problems!

14. Secure features: STRIDE model SPOOFING -> authentication TAMPERING -> integrity REPUDIATION -> non-repudiation INFORMATION DISCLOSURE -> confidentiality DENIAL OF SERVICE -> availability ELEVATION OF PRIVILEGES -> authorization For each asset, ask yourself what nightmares you really don’t want to come true!

15. $$$$ issues 15 Antonio Fontes / Confoo Conference, Montreal / 2010

16. the bigpicture Awareness operations (coffee room, newsletters, posters on the wall, drop OWASP guides on the floor, lunch with devs, etc.) Security Activities / SDLC Training operations (secure coding, threat modelling, code analysis,...) S&P Riskassessment Secure design Secure Coding guidelines Incident response Risk assessment (attack surface review) Incident response planning Attack surface analysis Secure coding tools PenetrationTest Final S&P signoff S&PTest Identify security requirements CERT response Secure configuration and deployment Threat modeling Unit testing Static code analysis Fuzz test Release archive S&P test planning SP3DC (Security and Privacy by Design, Development, Deployment and Configuration) Intranet portal (case studies, news, best practices, secure code repository) Product Risk Management Strategy 16 Antonio Fontes / Confoo Conference, Montreal / 2010

17. How are big companies doing? PT1.1: External penetration testExternal penetration tests bring light to insecure applications and organizations, which need help. SFD1.1: Security features developmentsecurity features (auth, crypto, session, etc.) are centrally developed and reused. SE1.2: Secure deploymenthost and network security basics are in place CP1.3: Create a policyDefine a policy that satisfies regulatory & compliance requirements. Source: BSI-mm (http://bsi-mm.com/) blabla Let’s think costs and risk reduction!

18. our own picture What is cheap? What is effective? 18 Antonio Fontes / Confoo Conference, Montreal / 2010

19. ourownpicture Awareness operations (coffee room, newsletters, posters on the wall, drop OWASP guides on the floor, lunch with devs, etc.) Security Activities / SDLC Training operations (secure coding, threat modelling, code analysis,...) S&P Riskassessment Secure design Secure Coding guidelines Incident response Risk assessment (attack surface review) Incident response planning Attack surface analysis Secure coding tools PenetrationTest Final S&P signoff S&PTest Identify security requirements CERT response Secure configuration and deployment Threat modeling Unit testing Static code analysis Fuzz test Release archive S&P test planning SP3DC (Security and Privacy by Design, Development, Deployment and Configuration) Intranet portal (case studies, news, best practices, secure code repository) Product Risk Management Strategy 19 Antonio Fontes / Confoo Conference, Montreal / 2010

20. S&P test You can do it (you, or automated security scanning tools) You don’t need to ask (well…….it depends) It’s virtually free (for your boss. you lose one or two evenings.) You will get a picture That you can show your management That will serve as input into your bug tracking tool If you use a reference (OWASP Top 10?), you can even monitor progress 20 Antonio Fontes / Confoo Conference, Montreal / 2010

21. Threat analysis and modeling You can do it (if there is documentation, it’s better) You don’t need to ask (well…….it depends) It’s virtually free (for your boss. you lose one or two evenings.) You will issue recommendations That will help you and your colleagues build more secure code. That you will improve with time. 21 Antonio Fontes / Confoo Conference, Montreal / 2010

22. SUMMARY Security contract: 7 rules 5 security properties that lead to 2 security concerns Threat agents Low-cost SDLC injection phases 22 Antonio Fontes / Confoo Conference, Montreal / 2010

23. lazy strategy 23 Antonio Fontes / Confoo Conference, Montreal / 2010

24. lazy strategy Your goal: staying out of statistics (shame avoidance pattern) UK breach investigation report: 60% of web intrusions: SQL Injection* 30% of web intrusions: authentication* Web hacking incidents database: 19% : SQL Injection 11% : authentication attacks OWASP Top 10 web application security risks: Don’t get exposed to one of these attacks! *: 7Safe - UK Security breach investigations report 2010 24 Antonio Fontes / Confoo Conference, Montreal / 2010

25. lazy strategy (cont’d) Don’t be a hero (yet), use checklists! Start simple and short Generic items (security features): reduce exposure to technical attacks OWASP Application Security Verification Standard MS Web applications threats and countermeasures security checklist Specific items (secure features): reduce exposure to attacks relating to your business Many checklists are already automated: Use an automatic security scanning tool!!! 25 Antonio Fontes / Confoo Conference, Montreal / 2010

26. lazy strategy (cont’d) Lazy threat modeling: List the use cases and identify the most valuable assets involved with them. Think about how the assets might be exposed if the use case goes wrong: STRIDE model Attack scenarios Identify countermeasures Apply these countermeasures 26 Antonio Fontes / Confoo Conference, Montreal / 2010

27. CASE STUDY the Twitter case (because it’s simple to understand, and solved) 27 Antonio Fontes / Confoo Conference, Montreal / 2010

28. Get fast and cheap results Quick start: automatic security scan!!! Runtime: 10 minutes (if you use a 9600 bps modem) It should reveal major holes… *: 7Safe - UK Security breach investigations report 2010 28 Antonio Fontes / Confoo Conference, Montreal / 2010

29. Reducing the heatmap

30. Major use cases 30 Antonio Fontes / Confoo Conference, Montreal / 2010

31. Valuable assets 31 Antonio Fontes / Confoo Conference, Montreal / 2010

32. Data-flows User Data stores: any need for encryption? Register SMS gateway Mobile numbers Requests Authenticate Accounts and credentials Factors: what credentials make a valid authentication? Can they be spoofed? Data transport in non-trust zone: any need for encryption? Set status Web Server Log & Audit consumes Trust boundary: what is the input validation strategy? uses Messages & lists View archive Data transport in semi-trust zone: any need for encryption? View user feed

33. Nightmares list (think “STRIDE”) 33 Antonio Fontes / Confoo Conference, Montreal / 2010

34. Countermeasures 34 Antonio Fontes / Confoo Conference, Montreal / 2010

35. Countermeasures 35 Antonio Fontes / Confoo Conference, Montreal / 2010

36. Countermeasures 36 Antonio Fontes / Confoo Conference, Montreal / 2010

37. CASE STUDY is this already useful? 37 Antonio Fontes / Confoo Conference, Montreal / 2010

38. April 2007 A security vulnerability was reported on April 7 2007 by NiteshDhanjani & Rujith. The problem was due to Twitter’s using the SMS message originator as the authentication of the user’s account. Niteshused fakemytext.com to spoof a text message. This vulnerability can only be used if the victim’s phone number is known. Twitter introduced an optional PIN that its users can specify to authenticate SMS-originating messages within a few weeks of this discovery http://en.wikipedia.org/wiki/Twitter 38 Antonio Fontes / Confoo Conference, Montreal / 2010

39. 2008 BrainShaler.com, 2008, writes a blog entry where his Twitter account gets hacked by a friend. After tarnishing his online reputation, his friend was persuaded to give back the account and he managed to change his password. However, this did not seem to help. His friend still had access because his friend was already authenticated. Twitter’s sessions did not expire, therefore, access was granted as long as his friend had an active session and didn’t log out http://en.wikipedia.org/wiki/Twitter 39 Antonio Fontes / Confoo Conference, Montreal / 2010

40. January 2009 33 high-profile Twitter accounts were compromised, and falsified messages—including sexually explicit and drug-related messages—were sent. The accounts were compromised after a Twitter administrator’s password was guessed via a dictionary attack. We are engaged in a full security review of all access points to Twitter. In the meantime, we are taking immediate action. First, we are increasing the security of our sign-in mechanism. For added security, we are further restricting access to our support tools. http://en.wikipedia.org/wiki/Twitterhttp://blog.twitter.com/2009/01/monday-morning-madness.html 40 Antonio Fontes / Confoo Conference, Montreal / 2010

41. It seems to help… 41 Antonio Fontes / Confoo Conference, Montreal / 2010

42. what’s next? 42 Antonio Fontes / Confoo Conference, Montreal / 2010

43. #1: Clean up! Configure your bug tracking tool: Add a ‘security’ category Add a “critical, high, low” impact attribute Add a “design, implementation, configuration” source attribute Don’t forget to store the time required to fix the issue! At later time, this will help you get $$$! Start testing your web application: Automated if you don’t have time. OWASP Application Security Verification Standard is a good starthttp://www.owasp.org/index.php/ASVS Identify your worst nightmares Conduct lazy threat analysis and check if countermeasures are in place Fix all security issues you find: WARNING: Don’t find problems if you’re not ready to solve them! After this point, you will already be ahead of many others. 43 Antonio Fontes / Confoo Conference, Montreal / 2010

44. #2: Sharpen your skills! Understand technical attacks and countermeasures: Threat classification (WASC)http://projects.webappsec.org/Threat-Classification Top 10 Web application security risks (OWASP)http://www.owasp.org/index.php/Top_10 Learn and adhere to secure coding principles: Secure Development Principles Whitepaper (Security Ninja)http://www.securityninja.co.uk/wp-content/uploads/2009/09/secure_development_principles_final.pdf Learn threat modeling: Theat Modeling Web Applications (Microsoft)http://msdn.microsoft.com/en-us/library/ms978516.aspx Evangelize around you: Show and share with your teammates what you learned! 44 Antonio Fontes / Confoo Conference, Montreal / 2010

45. #3: Talk to management! Be ready to hit walls Otherwise, stay silent and just fix what you can. Compile your data C-levels understand “financial profit”, “compliance”, and “reputation exposure”: Tell them what is the current situation Look into your bug tracking tool: how much time was (or will be) involved into fixing the flaws you found? How much time would it take fixing them at design time? Get promoted (and ask for a raise, if you date) “Product Manager – Security & Privacy” 45 Antonio Fontes / Confoo Conference, Montreal / 2010

46. #4: Continue securingyourSDLC Choose your college: Security Development Lifecycle (Microsoft)http://blogs.msdn.com/sdl/ Open Software Assurance Maturity Model (OWASP)http://www.opensamm.org/ Building Security in Maturity Model (Cigital/Fortify)http://www.bsi-mm.com/ 46 Antonio Fontes / Confoo Conference, Montreal / 2010

47. Conclusion What’s the 1stmajor wall? Just start. 47 Antonio Fontes / Confoo Conference, Montreal / 2010

48. Conclusion What’s the 2ndmajor wall? Not applying those damn checklists. 48 Antonio Fontes / Confoo Conference, Montreal / 2010

49. Conclusion If you can “start” and “apply a checklist”… You’re almost done! ;) 49 Antonio Fontes / Confoo Conference, Montreal / 2010

50. questions…? 50 Antonio Fontes / Confoo Conference, Montreal / 2010

52. t:starbuck3000

53. slideshare: starbuck3000Thank you! 51 Antonio Fontes / Confoo Conference, Montreal / 2010

54. next Google:“list of (free) web application security scanners” Find checklists: Google:”web application security checklist” OWASP ASVS MS web application threats and countermeasures security checklist Start fixing!

55. Copyright You are free: To share (copy, distribute, transmit) To remix But only if: You attribute this work You use it for non-commercial purposes And you keep sharing your result the same way I did 53 Antonio Fontes / Confoo Conference, Montreal / 2010