application security

Application SecurityApplication SecurityReggie SantosReggie SantosUP ITDCUP ITDC

OutlineOutline

Brief timeline on cyber attack historyBrief timeline on cyber attack history

DefinitionDefinition

Foundations of SecurityFoundations of Security

Definition of TermsDefinition of Terms

Threat ModelingThreat Modeling

OutlineOutline

Application Vulnerability CategoriesApplication Vulnerability Categories

Core Security PrinciplesCore Security Principles

Web Application SecurityWeb Application Security

Risks and Risk Mitigation/Control MeasuresRisks and Risk Mitigation/Control Measures

ReferencesReferences

The number of variants of malicious software aimed at mobile The number of variants of malicious software aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or devices has reportedly risen from about 14,000 to 40,000 or about 185% in less than a year – Government Accountability about 185% in less than a year – Government Accountability Office (GAO), US (2012)Office (GAO), US (2012)

SecuritySecurity

Fundamentally about protecting assetsFundamentally about protecting assets

AssetsAssets

Tangible items such as a Web page or your Tangible items such as a Web page or your customer databasecustomer database

Less tangible items such as the company’s Less tangible items such as the company’s reputationreputation

SecuritySecurity

A A pathpath, not a destination, not a destination

As you analyze your infrastructure and As you analyze your infrastructure and applications, you applications, you identify potential threatsidentify potential threats and understand that each threat presents a and understand that each threat presents a degree of riskdegree of risk

About About risk managementrisk management and implementing and implementing effective countermeasureseffective countermeasures


AuthenticationAuthentication

Addresses the question: Addresses the question: “who are you?”“who are you?”

Process of Process of uniquely identifying the clientsuniquely identifying the clients of of your applications and servicesyour applications and services

Might be end-users, other services, processes, or Might be end-users, other services, processes, or computerscomputers

Authenticated clients are referred to as Authenticated clients are referred to as principalsprincipals


AuthorizationAuthorization

Addresses the question: Addresses the question: “what can you “what can you do?”do?”

Process that governs the resources and Process that governs the resources and operations that the authenticated client is operations that the authenticated client is permitted to accesspermitted to access



ResourcesResources include files, databases, tables, rows, include files, databases, tables, rows, and so on, together with system-level resources and so on, together with system-level resources such as registry keys and configuration datasuch as registry keys and configuration data

OperationsOperations include performing transactions such include performing transactions such as purchasing a product, transferring money from as purchasing a product, transferring money from one account to another, or increasing a one account to another, or increasing a customer's credit ratingcustomer's credit rating


ConfidentialityConfidentiality

PrivacyPrivacy

Process of making sure that data remains Process of making sure that data remains privateprivate and and confidentialconfidential, and that it cannot , and that it cannot be viewed by unauthorized users or be viewed by unauthorized users or eavesdroppers who monitor the flow of traffic eavesdroppers who monitor the flow of traffic across a networkacross a network



EncryptionEncryption is frequently used to enforce is frequently used to enforce confidentialityconfidentiality

DES (Data Encryption Standard), RSA, HASH, DES (Data Encryption Standard), RSA, HASH, MD5, AES (Advanced Encryption Standard), MD5, AES (Advanced Encryption Standard), SHA-1, HMAC, BlowfishSHA-1, HMAC, Blowfish

Access control lists (Access control lists (ACLsACLs) are another means) are another means


IntegrityIntegrity

Guarantee that data is Guarantee that data is protectedprotected from from accidental or deliberate (malicious) accidental or deliberate (malicious) modificationmodification

Integrity for data in transit is typically Integrity for data in transit is typically provided by using provided by using hashing techniqueshashing techniques and and message authentication codesmessage authentication codes


AvailabilityAvailability

Systems remain available for legitimate usersSystems remain available for legitimate users


ThreatThreat

Any potential occurrence, malicious or Any potential occurrence, malicious or otherwise, that otherwise, that could harm an assetcould harm an asset


VulnerabilityVulnerability

WeaknessWeakness that makes a threat possible that makes a threat possible

May be because of poor design, configuration May be because of poor design, configuration mistakes, or inappropriate and insecure mistakes, or inappropriate and insecure coding techniquescoding techniques

e.g. lack of or improper input validatione.g. lack of or improper input validation


AttackAttack

Action that Action that exploits a vulnerabilityexploits a vulnerability or or enacts a threatenacts a threat

e.g. sending malicious input to an e.g. sending malicious input to an applicationapplication

e.g. flooding a network in an attempt to e.g. flooding a network in an attempt to deny servicedeny service


Recommended to form part of your Recommended to form part of your application's design phaseapplication's design phase

Analyzes your application's architecture and Analyzes your application's architecture and design and design and identify potentially vulnerable identify potentially vulnerable areas areas that may allow a user, perhaps that may allow a user, perhaps mistakenly, or an attacker with malicious mistakenly, or an attacker with malicious intent, to compromise your system's securityintent, to compromise your system's security

Application SecurityApplication Security

Use of software, hardware, and procedural Use of software, hardware, and procedural methods to methods to protect applications from protect applications from external threatsexternal threats

Application Vulnerability Application Vulnerability CategoriesCategories

Input ValidationInput Validation

How your application How your application filters, scrubs, or filters, scrubs, or rejects inputrejects input before additional processing before additional processing



"Who are you?""Who are you?"

Process where an Process where an entity proves the entity proves the identity of another entityidentity of another entity, typically , typically through credentials, such as a username and through credentials, such as a username and passwordpassword



"What can you do?""What can you do?"

How your application How your application provides access provides access controlscontrols for resources and operations for resources and operations


Configuration ManagementConfiguration Management

Who does your application run as?Who does your application run as?

Which databases does it connect to?Which databases does it connect to?



How is your application administered?How is your application administered?

How are these settings secured?How are these settings secured?

How your application handles these How your application handles these operational issuesoperational issues


Sensitive DataSensitive Data

How your How your application handles application handles any data that must any data that must be protected either be protected either in memory, over in memory, over the wire, or in the wire, or in persistent storespersistent stores


Session ManagementSession Management

SessionSession

Series of related interactions between a Series of related interactions between a user and your web applicationuser and your web application

How your application handles and protects How your application handles and protects these interactionsthese interactions


CryptographyCryptography

How are your keeping secrets, secret How are your keeping secrets, secret ((confidentialityconfidentiality)?)?

How are you tamperproofing your data or libraries How are you tamperproofing your data or libraries ((integrityintegrity)? )?

How are you providing How are you providing seeds for random valuesseeds for random values that that must be cryptographically strong? must be cryptographically strong?

How your application enforces confidentiality and How your application enforces confidentiality and integrityintegrity


Parameter ManipulationParameter Manipulation

Form fields, query string arguments,Form fields, query string arguments, and and cookie valuescookie values are frequently used as are frequently used as parameters for your applicationparameters for your application

How your application safeguards tampering How your application safeguards tampering of these values and how your application of these values and how your application processes input parametersprocesses input parameters


Exception ManagementException Management

When a method call in your application fails, When a method call in your application fails, what does your application do?what does your application do?

How much do you reveal?How much do you reveal?



Do you return friendly error information to Do you return friendly error information to end-users?end-users?

Do you pass valuable exception information Do you pass valuable exception information back to the caller? back to the caller?

How does your application fail gracefully?How does your application fail gracefully?


Auditing and LoggingAuditing and Logging

““Who did what and when?”Who did what and when?”

How your application records security-related How your application records security-related eventsevents


CompartmentalizeCompartmentalize

Reduce the surface area of attackReduce the surface area of attack

Ask yourself how you will contain a problemAsk yourself how you will contain a problem

If an attacker takes over your application, If an attacker takes over your application, what resources can he or she access? what resources can he or she access?

Can an attacker access network resources?Can an attacker access network resources?



How are you restricting potential damage? How are you restricting potential damage?

ExamplesExamples

FirewallsFirewalls

Least privileged accountsLeast privileged accounts

Least privileged codeLeast privileged code


Use least privilegeUse least privilege

By running processes using By running processes using accounts with accounts with minimal privileges and access rightminimal privileges and access rights, you s, you significantly reduce the capabilities of an significantly reduce the capabilities of an attacker if the attacker manages to attacker if the attacker manages to compromise security and run codecompromise security and run code


Apply defense in depthApply defense in depth

Use Use multiple gatekeepersmultiple gatekeepers to keep to keep attackers at bayattackers at bay

Do not rely on a Do not rely on a singlesingle layer of security layer of security

Consider that one of your layers may be Consider that one of your layers may be bypassed or compromisedbypassed or compromised


Do not trust user inputDo not trust user input

Your application's user input is the Your application's user input is the attacker's primary weaponattacker's primary weapon when targeting when targeting your applicationyour application

Assume all input is malicious until proven Assume all input is malicious until proven otherwiseotherwise


Check at the gateCheck at the gate

Authenticate and authorize callers early at Authenticate and authorize callers early at the first gatethe first gate


Fail securelyFail securely

If an application fails, do not leave sensitive If an application fails, do not leave sensitive data accessibledata accessible

Return friendly errors to end-users that do not Return friendly errors to end-users that do not expose internal system detailsexpose internal system details

Do not include details that may help an Do not include details that may help an attacker exploit vulnerabilities in your attacker exploit vulnerabilities in your applicationapplication


Secure the weakest linkSecure the weakest link

Is there a vulnerability at the network layer that an Is there a vulnerability at the network layer that an attacker can exploit? attacker can exploit?

What about the host?What about the host?

Is your application secure? Is your application secure?

Any weak link in the chain is an opportunity for Any weak link in the chain is an opportunity for breached securitybreached security


Create secure defaultsCreate secure defaults

Is the default account set up with the least privilege? Is the default account set up with the least privilege?

Is the default account disabled by default and then Is the default account disabled by default and then explicitly enabled when required? explicitly enabled when required?

Does the configuration use a password in plain text? Does the configuration use a password in plain text?

When an error occurs, does sensitive information leak When an error occurs, does sensitive information leak back to the client to be used potentially against the back to the client to be used potentially against the system? system?


Reduce your attack surfaceReduce your attack surface

If you do not use it, remove it or disable itIf you do not use it, remove it or disable it

Reduce the surface area of attack by disabling or Reduce the surface area of attack by disabling or removing unused services, protocols, and removing unused services, protocols, and functionalityfunctionality

Does your server need all those services and Does your server need all those services and ports? ports?

Does your application need all those features? Does your application need all those features?


Aims to identify: Aims to identify:

The The critical assetscritical assets of the organization of the organization

Genuine usersGenuine users who may access the data who may access the data

Level of accessLevel of access provided to each user provided to each user


Aims to identify: Aims to identify:

Various Various vulnerabilitiesvulnerabilities that may exist in the that may exist in the applicationapplication

Data criticality and risk analysisData criticality and risk analysis on data on data exposureexposure

Appropriate Appropriate remediation measuresremediation measures

Controls/Risk Mitigation Controls/Risk Mitigation MeasuresMeasures

Implement a Software Development Lifecycle Implement a Software Development Lifecycle ((SDLCSDLC))

Add Add securitysecurity attributes to your SDLC attributes to your SDLC

Performing the Performing the rightright activities activities

QualifiedQualified personnel personnel


Enlist Enlist QAQA for basic application security holes for basic application security holes

SSLSSL (Secure Sockets Layer) (Secure Sockets Layer)

App-specific PKIApp-specific PKI (Public Key Infrastructure) (Public Key Infrastructure)

Input sanitizationInput sanitization


StandardsStandards

CWECWE

Common Weakness EnumerationCommon Weakness Enumeration

http://cwe.mitre.orghttp://cwe.mitre.org

CADECCADEC

Common Attack Pattern Enumeration and ClassificationCommon Attack Pattern Enumeration and Classification

http://capec.mitre.orghttp://capec.mitre.org

http://cwe.mitre.org/

http://capec.mitre.org/


Application Firewalls (e.g. Application Firewalls (e.g. WAFWAF))

Inspects all traffic flowing to the web Inspects all traffic flowing to the web application for common web application application for common web application attacksattacks

Add your solution to your asset inventory and Add your solution to your asset inventory and configuration assessment tasksconfiguration assessment tasks


Against Cross-site Scripting Attacks (Against Cross-site Scripting Attacks (XSSXSS))

Against Against SQL injectionSQL injection attacks attacks

Against Against command injectioncommand injection attacks attacks

Against Against directory traversaldirectory traversal attacks attacks


Explicit error checkingExplicit error checking should be done for all should be done for all inputinput

Implement thorough Implement thorough input validationinput validation


Whenever a variable is created in source code, the Whenever a variable is created in source code, the size and type should be determinedsize and type should be determined

Guard against Guard against overflowsoverflows

Buffer overflowsBuffer overflows

Integer overflowsInteger overflows

Perform the checks usingPerform the checks using code reviews, code reviews, and and static and runtime analysisstatic and runtime analysis


When input is provided by the user, it should When input is provided by the user, it should be verified that it does not exceed the size or be verified that it does not exceed the size or the data type of the memory location in which the data type of the memory location in which it is stored or moved in the futureit is stored or moved in the future

Can be mitigated against through Can be mitigated against through fformalized SDLC with good code-review ormalized SDLC with good code-review and automated analysisand automated analysis


Test in-house-developed web applications for Test in-house-developed web applications for common security weaknesses using automated common security weaknesses using automated remote web application scanners prior to remote web application scanners prior to deploymentdeployment

Through Through penetration testingpenetration testing


Test in-house-developed web applications for Test in-house-developed web applications for common security weaknesses using automated common security weaknesses using automated remote web application scanners whenever remote web application scanners whenever updates are made to the applicationupdates are made to the application

Regression testing for security issuesRegression testing for security issues


System error messages should not be displayed to end-System error messages should not be displayed to end-users (users (output sanitizationoutput sanitization))

Simple Simple data leakage mitigationdata leakage mitigation

Can be troublesome for your support groupCan be troublesome for your support group

If need be, create an If need be, create an error code mappingerror code mapping from from the plaform/internals to something you can share the plaform/internals to something you can share with an end-user who will likely call support at with an end-user who will likely call support at some point anywaysome point anyway


Organizations should understand how their Organizations should understand how their applications behave under applications behave under denial of service denial of service attacksattacks

Test your service for load and have an Test your service for load and have an executable plan in place for when something executable plan in place for when something goes wronggoes wrong

Organizations should understand how their Organizations should understand how their applications behave under applications behave under resource resource exhaustion attacksexhaustion attacks


Maintain Maintain separate environmentsseparate environments for for production and non-production systemsproduction and non-production systems

Developers should not typically have Developers should not typically have unmonitored access to production unmonitored access to production environmentsenvironments


Test in-house-developed/third-party web and Test in-house-developed/third-party web and other application software for other application software for coding errors coding errors and malware insertionand malware insertion prior to deployment prior to deployment

SummarySummary

Brief timeline on cyber attack historyBrief timeline on cyber attack history

DefinitionDefinition




AuditingAuditing

SummarySummary



IntegrityIntegrity

AvailabilityAvailability


ThreatThreat

VulnerabilityVulnerability

AttackAttack

SummarySummary



Input ValidationInput Validation




Sensitive DataSensitive Data

SummarySummary


Session ManagementSession Management

CryptographyCryptography

Parameter ManipulationParameter Manipulation


Auditing and LoggingAuditing and Logging



Use least privilegeUse least privilege

SummarySummary









SummarySummary









Risks and Risk Mitigation/Control MeasuresRisks and Risk Mitigation/Control Measures


Open Web Application Security Project (OWASP)Open Web Application Security Project (OWASP)

https://www.owasp.org/index.php/Main_Pagehttps://www.owasp.org/index.php/Main_Page

Web Application Security ConsortiumWeb Application Security Consortium

http://www.webappsec.org/http://www.webappsec.org/

Web Application SecurityWeb Application Security

http://www.techopedia.com/definition/24377/web-application-securityhttp://www.techopedia.com/definition/24377/web-application-security

Application Software SecurityApplication Software Security

http://www.tripwire.com/state-of-security/security-data-protection/20-critical-security-controls-chttp://www.tripwire.com/state-of-security/security-data-protection/20-critical-security-controls-control-6-application-software-security/ontrol-6-application-software-security/

Improving Web Application Security: Threats and CountermeasuresImproving Web Application Security: Threats and Countermeasures

http://msdn.microsoft.com/en-us/library/ff648636.aspxhttp://msdn.microsoft.com/en-us/library/ff648636.aspx

https://www.owasp.org/index.php/Main_Page

http://www.webappsec.org/

http://www.techopedia.com/definition/24377/web-application-security

http://www.tripwire.com/state-of-security/security-data-protection/20-critical-security-controls-control-6-application-software-security/

http://www.tripwire.com/state-of-security/security-data-protection/20-critical-security-controls-control-6-application-software-security/

http://msdn.microsoft.com/en-us/library/ff648636.aspx


10 Common Mobile Security Problems to Attack10 Common Mobile Security Problems to Attack

http://www.pcworld.com/article/2010278/10-common-mobile-sechttp://www.pcworld.com/article/2010278/10-common-mobile-security-problems-to-attack.htmlurity-problems-to-attack.html

11 Most Common Security Threats11 Most Common Security Threats

http://www.symantec-norton.com/11-most-common-computer-sehttp://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspxcurity-threats_k13.aspx

Cyber Attack TimelineCyber Attack Timeline

http://www.nato.int/docu/review/2013/Cyber/timeline/EN/index.hhttp://www.nato.int/docu/review/2013/Cyber/timeline/EN/index.htmtm

http://www.pcworld.com/article/2010278/10-common-mobile-security-problems-to-attack.html

http://www.pcworld.com/article/2010278/10-common-mobile-security-problems-to-attack.html

http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx

http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx

http://www.nato.int/docu/review/2013/Cyber/timeline/EN/index.htm

http://www.nato.int/docu/review/2013/Cyber/timeline/EN/index.htm


A Potted History of the IT Industry: 25 Years of MilestonesA Potted History of the IT Industry: 25 Years of Milestones

http://www.computerworlduk.com/slideshow/it-business/3278948/a-potted-historhttp://www.computerworlduk.com/slideshow/it-business/3278948/a-potted-history-of-the-it-industry-25-years-of-milestones/18/y-of-the-it-industry-25-years-of-milestones/18/

A Short History of Hacks, Worms and CyberterrorsA Short History of Hacks, Worms and Cyberterrors

http://www.computerworld.com/s/article/9131924/A_short_history_of_hacks_worhttp://www.computerworld.com/s/article/9131924/A_short_history_of_hacks_worms_and_cyberterrorms_and_cyberterror

Data Visualization of DDoS on TwitterData Visualization of DDoS on Twitter

http://datavisualization.ch/showcases/how-twitter-got-attacked-by-a-ddos/http://datavisualization.ch/showcases/how-twitter-got-attacked-by-a-ddos/

Russian Coder: I Hacked Georgia’s Sites in CyberwarRussian Coder: I Hacked Georgia’s Sites in Cyberwar

http://www.wired.com/2008/10/government-and/http://www.wired.com/2008/10/government-and/

http://www.computerworlduk.com/slideshow/it-business/3278948/a-potted-history-of-the-it-industry-25-years-of-milestones/18/

http://www.computerworlduk.com/slideshow/it-business/3278948/a-potted-history-of-the-it-industry-25-years-of-milestones/18/

http://www.computerworld.com/s/article/9131924/A_short_history_of_hacks_worms_and_cyberterror

http://www.computerworld.com/s/article/9131924/A_short_history_of_hacks_worms_and_cyberterror

http://datavisualization.ch/showcases/how-twitter-got-attacked-by-a-ddos/

application security

Internet

data isguarantee

data remainsprocess

malicious software

potential occurrence

companysless tangible

systemlevel resources

web page

yourtangible items