application security
DESCRIPTION
* Brief timeline on cyber attack history * Definition * Foundations of Security * Definition of Terms * Threat Modeling * Application Vulnerability Categories * Core Security Principles * Web Application Security * Risks and Risk Mitigation/Control MeasuresTRANSCRIPT
Application SecurityApplication SecurityReggie SantosReggie SantosUP ITDCUP ITDC
OutlineOutline
Brief timeline on cyber attack historyBrief timeline on cyber attack history
DefinitionDefinition
Foundations of SecurityFoundations of Security
Definition of TermsDefinition of Terms
Threat ModelingThreat Modeling
OutlineOutline
Application Vulnerability CategoriesApplication Vulnerability Categories
Core Security PrinciplesCore Security Principles
Web Application SecurityWeb Application Security
Risks and Risk Mitigation/Control MeasuresRisks and Risk Mitigation/Control Measures
ReferencesReferences
The number of variants of malicious software aimed at mobile The number of variants of malicious software aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or devices has reportedly risen from about 14,000 to 40,000 or about 185% in less than a year – Government Accountability about 185% in less than a year – Government Accountability Office (GAO), US (2012)Office (GAO), US (2012)
SecuritySecurity
Fundamentally about protecting assetsFundamentally about protecting assets
AssetsAssets
Tangible items such as a Web page or your Tangible items such as a Web page or your customer databasecustomer database
Less tangible items such as the company’s Less tangible items such as the company’s reputationreputation
SecuritySecurity
A A pathpath, not a destination, not a destination
As you analyze your infrastructure and As you analyze your infrastructure and applications, you applications, you identify potential threatsidentify potential threats and understand that each threat presents a and understand that each threat presents a degree of riskdegree of risk
About About risk managementrisk management and implementing and implementing effective countermeasureseffective countermeasures
Foundations of SecurityFoundations of Security
AuthenticationAuthentication
Addresses the question: Addresses the question: “who are you?”“who are you?”
Process of Process of uniquely identifying the clientsuniquely identifying the clients of of your applications and servicesyour applications and services
Might be end-users, other services, processes, or Might be end-users, other services, processes, or computerscomputers
Authenticated clients are referred to as Authenticated clients are referred to as principalsprincipals
Foundations of SecurityFoundations of Security
AuthorizationAuthorization
Addresses the question: Addresses the question: “what can you “what can you do?”do?”
Process that governs the resources and Process that governs the resources and operations that the authenticated client is operations that the authenticated client is permitted to accesspermitted to access
Foundations of SecurityFoundations of Security
AuthorizationAuthorization
ResourcesResources include files, databases, tables, rows, include files, databases, tables, rows, and so on, together with system-level resources and so on, together with system-level resources such as registry keys and configuration datasuch as registry keys and configuration data
OperationsOperations include performing transactions such include performing transactions such as purchasing a product, transferring money from as purchasing a product, transferring money from one account to another, or increasing a one account to another, or increasing a customer's credit ratingcustomer's credit rating
Foundations of SecurityFoundations of Security
ConfidentialityConfidentiality
PrivacyPrivacy
Process of making sure that data remains Process of making sure that data remains privateprivate and and confidentialconfidential, and that it cannot , and that it cannot be viewed by unauthorized users or be viewed by unauthorized users or eavesdroppers who monitor the flow of traffic eavesdroppers who monitor the flow of traffic across a networkacross a network
Foundations of SecurityFoundations of Security
ConfidentialityConfidentiality
EncryptionEncryption is frequently used to enforce is frequently used to enforce confidentialityconfidentiality
DES (Data Encryption Standard), RSA, HASH, DES (Data Encryption Standard), RSA, HASH, MD5, AES (Advanced Encryption Standard), MD5, AES (Advanced Encryption Standard), SHA-1, HMAC, BlowfishSHA-1, HMAC, Blowfish
Access control lists (Access control lists (ACLsACLs) are another means) are another means
Foundations of SecurityFoundations of Security
IntegrityIntegrity
Guarantee that data is Guarantee that data is protectedprotected from from accidental or deliberate (malicious) accidental or deliberate (malicious) modificationmodification
Integrity for data in transit is typically Integrity for data in transit is typically provided by using provided by using hashing techniqueshashing techniques and and message authentication codesmessage authentication codes
Foundations of SecurityFoundations of Security
AvailabilityAvailability
Systems remain available for legitimate usersSystems remain available for legitimate users
Definition of TermsDefinition of Terms
ThreatThreat
Any potential occurrence, malicious or Any potential occurrence, malicious or otherwise, that otherwise, that could harm an assetcould harm an asset
Definition of TermsDefinition of Terms
VulnerabilityVulnerability
WeaknessWeakness that makes a threat possible that makes a threat possible
May be because of poor design, configuration May be because of poor design, configuration mistakes, or inappropriate and insecure mistakes, or inappropriate and insecure coding techniquescoding techniques
e.g. lack of or improper input validatione.g. lack of or improper input validation
Definition of TermsDefinition of Terms
AttackAttack
Action that Action that exploits a vulnerabilityexploits a vulnerability or or enacts a threatenacts a threat
e.g. sending malicious input to an e.g. sending malicious input to an applicationapplication
e.g. flooding a network in an attempt to e.g. flooding a network in an attempt to deny servicedeny service
Threat ModelingThreat Modeling
Recommended to form part of your Recommended to form part of your application's design phaseapplication's design phase
Analyzes your application's architecture and Analyzes your application's architecture and design and design and identify potentially vulnerable identify potentially vulnerable areas areas that may allow a user, perhaps that may allow a user, perhaps mistakenly, or an attacker with malicious mistakenly, or an attacker with malicious intent, to compromise your system's securityintent, to compromise your system's security
Application SecurityApplication Security
Use of software, hardware, and procedural Use of software, hardware, and procedural methods to methods to protect applications from protect applications from external threatsexternal threats
Application Vulnerability Application Vulnerability CategoriesCategories
Input ValidationInput Validation
How your application How your application filters, scrubs, or filters, scrubs, or rejects inputrejects input before additional processing before additional processing
Application Vulnerability Application Vulnerability CategoriesCategories
AuthenticationAuthentication
"Who are you?""Who are you?"
Process where an Process where an entity proves the entity proves the identity of another entityidentity of another entity, typically , typically through credentials, such as a username and through credentials, such as a username and passwordpassword
Application Vulnerability Application Vulnerability CategoriesCategories
AuthorizationAuthorization
"What can you do?""What can you do?"
How your application How your application provides access provides access controlscontrols for resources and operations for resources and operations
Application Vulnerability Application Vulnerability CategoriesCategories
Configuration ManagementConfiguration Management
Who does your application run as?Who does your application run as?
Which databases does it connect to?Which databases does it connect to?
Application Vulnerability Application Vulnerability CategoriesCategories
Configuration ManagementConfiguration Management
How is your application administered?How is your application administered?
How are these settings secured?How are these settings secured?
How your application handles these How your application handles these operational issuesoperational issues
Application Vulnerability Application Vulnerability CategoriesCategories
Sensitive DataSensitive Data
How your How your application handles application handles any data that must any data that must be protected either be protected either in memory, over in memory, over the wire, or in the wire, or in persistent storespersistent stores
Application Vulnerability Application Vulnerability CategoriesCategories
Session ManagementSession Management
SessionSession
Series of related interactions between a Series of related interactions between a user and your web applicationuser and your web application
How your application handles and protects How your application handles and protects these interactionsthese interactions
Application Vulnerability Application Vulnerability CategoriesCategories
CryptographyCryptography
How are your keeping secrets, secret How are your keeping secrets, secret ((confidentialityconfidentiality)?)?
How are you tamperproofing your data or libraries How are you tamperproofing your data or libraries ((integrityintegrity)? )?
How are you providing How are you providing seeds for random valuesseeds for random values that that must be cryptographically strong? must be cryptographically strong?
How your application enforces confidentiality and How your application enforces confidentiality and integrityintegrity
Application Vulnerability Application Vulnerability CategoriesCategories
Parameter ManipulationParameter Manipulation
Form fields, query string arguments,Form fields, query string arguments, and and cookie valuescookie values are frequently used as are frequently used as parameters for your applicationparameters for your application
How your application safeguards tampering How your application safeguards tampering of these values and how your application of these values and how your application processes input parametersprocesses input parameters
Application Vulnerability Application Vulnerability CategoriesCategories
Exception ManagementException Management
When a method call in your application fails, When a method call in your application fails, what does your application do?what does your application do?
How much do you reveal?How much do you reveal?
Application Vulnerability Application Vulnerability CategoriesCategories
Exception ManagementException Management
Do you return friendly error information to Do you return friendly error information to end-users?end-users?
Do you pass valuable exception information Do you pass valuable exception information back to the caller? back to the caller?
How does your application fail gracefully?How does your application fail gracefully?
Application Vulnerability Application Vulnerability CategoriesCategories
Auditing and LoggingAuditing and Logging
““Who did what and when?”Who did what and when?”
How your application records security-related How your application records security-related eventsevents
Core Security PrinciplesCore Security Principles
CompartmentalizeCompartmentalize
Reduce the surface area of attackReduce the surface area of attack
Ask yourself how you will contain a problemAsk yourself how you will contain a problem
If an attacker takes over your application, If an attacker takes over your application, what resources can he or she access? what resources can he or she access?
Can an attacker access network resources?Can an attacker access network resources?
Core Security PrinciplesCore Security Principles
CompartmentalizeCompartmentalize
How are you restricting potential damage? How are you restricting potential damage?
ExamplesExamples
FirewallsFirewalls
Least privileged accountsLeast privileged accounts
Least privileged codeLeast privileged code
Core Security PrinciplesCore Security Principles
Use least privilegeUse least privilege
By running processes using By running processes using accounts with accounts with minimal privileges and access rightminimal privileges and access rights, you s, you significantly reduce the capabilities of an significantly reduce the capabilities of an attacker if the attacker manages to attacker if the attacker manages to compromise security and run codecompromise security and run code
Core Security PrinciplesCore Security Principles
Apply defense in depthApply defense in depth
Use Use multiple gatekeepersmultiple gatekeepers to keep to keep attackers at bayattackers at bay
Do not rely on a Do not rely on a singlesingle layer of security layer of security
Consider that one of your layers may be Consider that one of your layers may be bypassed or compromisedbypassed or compromised
Core Security PrinciplesCore Security Principles
Do not trust user inputDo not trust user input
Your application's user input is the Your application's user input is the attacker's primary weaponattacker's primary weapon when targeting when targeting your applicationyour application
Assume all input is malicious until proven Assume all input is malicious until proven otherwiseotherwise
Core Security PrinciplesCore Security Principles
Check at the gateCheck at the gate
Authenticate and authorize callers early at Authenticate and authorize callers early at the first gatethe first gate
Core Security PrinciplesCore Security Principles
Fail securelyFail securely
If an application fails, do not leave sensitive If an application fails, do not leave sensitive data accessibledata accessible
Return friendly errors to end-users that do not Return friendly errors to end-users that do not expose internal system detailsexpose internal system details
Do not include details that may help an Do not include details that may help an attacker exploit vulnerabilities in your attacker exploit vulnerabilities in your applicationapplication
Core Security PrinciplesCore Security Principles
Secure the weakest linkSecure the weakest link
Is there a vulnerability at the network layer that an Is there a vulnerability at the network layer that an attacker can exploit? attacker can exploit?
What about the host?What about the host?
Is your application secure? Is your application secure?
Any weak link in the chain is an opportunity for Any weak link in the chain is an opportunity for breached securitybreached security
Core Security PrinciplesCore Security Principles
Create secure defaultsCreate secure defaults
Is the default account set up with the least privilege? Is the default account set up with the least privilege?
Is the default account disabled by default and then Is the default account disabled by default and then explicitly enabled when required? explicitly enabled when required?
Does the configuration use a password in plain text? Does the configuration use a password in plain text?
When an error occurs, does sensitive information leak When an error occurs, does sensitive information leak back to the client to be used potentially against the back to the client to be used potentially against the system? system?
Core Security PrinciplesCore Security Principles
Reduce your attack surfaceReduce your attack surface
If you do not use it, remove it or disable itIf you do not use it, remove it or disable it
Reduce the surface area of attack by disabling or Reduce the surface area of attack by disabling or removing unused services, protocols, and removing unused services, protocols, and functionalityfunctionality
Does your server need all those services and Does your server need all those services and ports? ports?
Does your application need all those features? Does your application need all those features?
Application SecurityApplication Security
Aims to identify: Aims to identify:
The The critical assetscritical assets of the organization of the organization
Genuine usersGenuine users who may access the data who may access the data
Level of accessLevel of access provided to each user provided to each user
Application SecurityApplication Security
Aims to identify: Aims to identify:
Various Various vulnerabilitiesvulnerabilities that may exist in the that may exist in the applicationapplication
Data criticality and risk analysisData criticality and risk analysis on data on data exposureexposure
Appropriate Appropriate remediation measuresremediation measures
Controls/Risk Mitigation Controls/Risk Mitigation MeasuresMeasures
Implement a Software Development Lifecycle Implement a Software Development Lifecycle ((SDLCSDLC))
Add Add securitysecurity attributes to your SDLC attributes to your SDLC
Performing the Performing the rightright activities activities
QualifiedQualified personnel personnel
Controls/Risk Mitigation Controls/Risk Mitigation MeasuresMeasures
Enlist Enlist QAQA for basic application security holes for basic application security holes
SSLSSL (Secure Sockets Layer) (Secure Sockets Layer)
App-specific PKIApp-specific PKI (Public Key Infrastructure) (Public Key Infrastructure)
Input sanitizationInput sanitization
Controls/Risk Mitigation Controls/Risk Mitigation MeasuresMeasures
StandardsStandards
CWECWE
Common Weakness EnumerationCommon Weakness Enumeration
http://cwe.mitre.orghttp://cwe.mitre.org
CADECCADEC
Common Attack Pattern Enumeration and ClassificationCommon Attack Pattern Enumeration and Classification
http://capec.mitre.orghttp://capec.mitre.org
Controls/Risk Mitigation Controls/Risk Mitigation MeasuresMeasures
Application Firewalls (e.g. Application Firewalls (e.g. WAFWAF))
Inspects all traffic flowing to the web Inspects all traffic flowing to the web application for common web application application for common web application attacksattacks
Add your solution to your asset inventory and Add your solution to your asset inventory and configuration assessment tasksconfiguration assessment tasks
Controls/Risk Mitigation Controls/Risk Mitigation MeasuresMeasures
Against Cross-site Scripting Attacks (Against Cross-site Scripting Attacks (XSSXSS))
Against Against SQL injectionSQL injection attacks attacks
Against Against command injectioncommand injection attacks attacks
Against Against directory traversaldirectory traversal attacks attacks
Controls/Risk Mitigation Controls/Risk Mitigation MeasuresMeasures
Explicit error checkingExplicit error checking should be done for all should be done for all inputinput
Implement thorough Implement thorough input validationinput validation
Controls/Risk Mitigation Controls/Risk Mitigation MeasuresMeasures
Whenever a variable is created in source code, the Whenever a variable is created in source code, the size and type should be determinedsize and type should be determined
Guard against Guard against overflowsoverflows
Buffer overflowsBuffer overflows
Integer overflowsInteger overflows
Perform the checks usingPerform the checks using code reviews, code reviews, and and static and runtime analysisstatic and runtime analysis
Controls/Risk Mitigation Controls/Risk Mitigation MeasuresMeasures
When input is provided by the user, it should When input is provided by the user, it should be verified that it does not exceed the size or be verified that it does not exceed the size or the data type of the memory location in which the data type of the memory location in which it is stored or moved in the futureit is stored or moved in the future
Can be mitigated against through Can be mitigated against through fformalized SDLC with good code-review ormalized SDLC with good code-review and automated analysisand automated analysis
Controls/Risk Mitigation Controls/Risk Mitigation MeasuresMeasures
Test in-house-developed web applications for Test in-house-developed web applications for common security weaknesses using automated common security weaknesses using automated remote web application scanners prior to remote web application scanners prior to deploymentdeployment
Through Through penetration testingpenetration testing
Controls/Risk Mitigation Controls/Risk Mitigation MeasuresMeasures
Test in-house-developed web applications for Test in-house-developed web applications for common security weaknesses using automated common security weaknesses using automated remote web application scanners whenever remote web application scanners whenever updates are made to the applicationupdates are made to the application
Regression testing for security issuesRegression testing for security issues
Controls/Risk Mitigation Controls/Risk Mitigation MeasuresMeasures
System error messages should not be displayed to end-System error messages should not be displayed to end-users (users (output sanitizationoutput sanitization))
Simple Simple data leakage mitigationdata leakage mitigation
Can be troublesome for your support groupCan be troublesome for your support group
If need be, create an If need be, create an error code mappingerror code mapping from from the plaform/internals to something you can share the plaform/internals to something you can share with an end-user who will likely call support at with an end-user who will likely call support at some point anywaysome point anyway
Controls/Risk Mitigation Controls/Risk Mitigation MeasuresMeasures
Organizations should understand how their Organizations should understand how their applications behave under applications behave under denial of service denial of service attacksattacks
Test your service for load and have an Test your service for load and have an executable plan in place for when something executable plan in place for when something goes wronggoes wrong
Organizations should understand how their Organizations should understand how their applications behave under applications behave under resource resource exhaustion attacksexhaustion attacks
Controls/Risk Mitigation Controls/Risk Mitigation MeasuresMeasures
Maintain Maintain separate environmentsseparate environments for for production and non-production systemsproduction and non-production systems
Developers should not typically have Developers should not typically have unmonitored access to production unmonitored access to production environmentsenvironments
Controls/Risk Mitigation Controls/Risk Mitigation MeasuresMeasures
Test in-house-developed/third-party web and Test in-house-developed/third-party web and other application software for other application software for coding errors coding errors and malware insertionand malware insertion prior to deployment prior to deployment
SummarySummary
Brief timeline on cyber attack historyBrief timeline on cyber attack history
DefinitionDefinition
Foundations of SecurityFoundations of Security
AuthenticationAuthentication
AuthorizationAuthorization
AuditingAuditing
SummarySummary
Foundations of SecurityFoundations of Security
ConfidentialityConfidentiality
IntegrityIntegrity
AvailabilityAvailability
Definition of TermsDefinition of Terms
ThreatThreat
VulnerabilityVulnerability
AttackAttack
SummarySummary
Threat ModelingThreat Modeling
Application Vulnerability CategoriesApplication Vulnerability Categories
Input ValidationInput Validation
AuthenticationAuthentication
AuthorizationAuthorization
Configuration ManagementConfiguration Management
Sensitive DataSensitive Data
SummarySummary
Application Vulnerability CategoriesApplication Vulnerability Categories
Session ManagementSession Management
CryptographyCryptography
Parameter ManipulationParameter Manipulation
Exception ManagementException Management
Auditing and LoggingAuditing and Logging
Core Security PrinciplesCore Security Principles
CompartmentalizeCompartmentalize
Use least privilegeUse least privilege
SummarySummary
Core Security PrinciplesCore Security Principles
Apply defense in depthApply defense in depth
Do not trust user inputDo not trust user input
Check at the gateCheck at the gate
Fail securelyFail securely
Secure the weakest linkSecure the weakest link
Create secure defaultsCreate secure defaults
Reduce your attack surfaceReduce your attack surface
SummarySummary
Core Security PrinciplesCore Security Principles
Apply defense in depthApply defense in depth
Do not trust user inputDo not trust user input
Check at the gateCheck at the gate
Fail securelyFail securely
Secure the weakest linkSecure the weakest link
Create secure defaultsCreate secure defaults
Reduce your attack surfaceReduce your attack surface
Risks and Risk Mitigation/Control MeasuresRisks and Risk Mitigation/Control Measures
ReferencesReferences
Open Web Application Security Project (OWASP)Open Web Application Security Project (OWASP)
https://www.owasp.org/index.php/Main_Pagehttps://www.owasp.org/index.php/Main_Page
Web Application Security ConsortiumWeb Application Security Consortium
http://www.webappsec.org/http://www.webappsec.org/
Web Application SecurityWeb Application Security
http://www.techopedia.com/definition/24377/web-application-securityhttp://www.techopedia.com/definition/24377/web-application-security
Application Software SecurityApplication Software Security
http://www.tripwire.com/state-of-security/security-data-protection/20-critical-security-controls-chttp://www.tripwire.com/state-of-security/security-data-protection/20-critical-security-controls-control-6-application-software-security/ontrol-6-application-software-security/
Improving Web Application Security: Threats and CountermeasuresImproving Web Application Security: Threats and Countermeasures
http://msdn.microsoft.com/en-us/library/ff648636.aspxhttp://msdn.microsoft.com/en-us/library/ff648636.aspx
ReferencesReferences
10 Common Mobile Security Problems to Attack10 Common Mobile Security Problems to Attack
http://www.pcworld.com/article/2010278/10-common-mobile-sechttp://www.pcworld.com/article/2010278/10-common-mobile-security-problems-to-attack.htmlurity-problems-to-attack.html
11 Most Common Security Threats11 Most Common Security Threats
http://www.symantec-norton.com/11-most-common-computer-sehttp://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspxcurity-threats_k13.aspx
Cyber Attack TimelineCyber Attack Timeline
http://www.nato.int/docu/review/2013/Cyber/timeline/EN/index.hhttp://www.nato.int/docu/review/2013/Cyber/timeline/EN/index.htmtm
ReferencesReferences
A Potted History of the IT Industry: 25 Years of MilestonesA Potted History of the IT Industry: 25 Years of Milestones
http://www.computerworlduk.com/slideshow/it-business/3278948/a-potted-historhttp://www.computerworlduk.com/slideshow/it-business/3278948/a-potted-history-of-the-it-industry-25-years-of-milestones/18/y-of-the-it-industry-25-years-of-milestones/18/
A Short History of Hacks, Worms and CyberterrorsA Short History of Hacks, Worms and Cyberterrors
http://www.computerworld.com/s/article/9131924/A_short_history_of_hacks_worhttp://www.computerworld.com/s/article/9131924/A_short_history_of_hacks_worms_and_cyberterrorms_and_cyberterror
Data Visualization of DDoS on TwitterData Visualization of DDoS on Twitter
http://datavisualization.ch/showcases/how-twitter-got-attacked-by-a-ddos/http://datavisualization.ch/showcases/how-twitter-got-attacked-by-a-ddos/
Russian Coder: I Hacked Georgia’s Sites in CyberwarRussian Coder: I Hacked Georgia’s Sites in Cyberwar
http://www.wired.com/2008/10/government-and/http://www.wired.com/2008/10/government-and/