application security review 5 dec 09 final

TT

Application Security ReviewPresented by Manoj Agarwal

CEP on Dec 5, 09@IIA-India, Bombay Chapter

TDecember 09 © ANB Consulting CO. Pvt. Ltd.2

Agenda• What is an Application Security Review• Why Application Security Assessment• Examples of Potential Vulnerabilities• Q & A


Reviewing Application• Confidentiality

– Confidential information must only be divulged as appropriate, and must be protected from unauthorized disclosure or interception.

– Confidentiality includes privacy considerations.Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data etc.

• Integrity– Information integrity refers to the state of data as being correct and

complete. This specifically includes the reliability of financial processing and reporting.

– The integrity of data is not only whether the data is 'correct', but whether it can be trusted and relied upon

• Availability– Information must be available to the business, its customers, and

partners when, where, and in the manner needed. – Availability includes the ability to recover from losses, disruption, or

corruption of data and IT services, as well as from a major disaster where the information was located.


Motivation For Application Security• Cost of recovery and lost productivity• Loss of data• Impact on consumer confidence• Legal risks


Security Principles • Confidentiality• Integrity• Authentication• Authorization• Availability• Non-repudiation


Managing Risk• Strategic • Tactical • Operational• Legal


Assessment Criteria• Definition of an application• Scope of assessments

– High-risk– Medium-risk– Low-risk

• Types of Assessments – Limited assessments– Comprehensive assessments


Participants

Security PolicySecurity Policy Threat ModelingThreat Modeling

CorporateCorporateSecuritySecurity

ApplicationApplicationReviewReviewTeamTeam

OperationsOperationsITIT

BusinessBusinessUnit ITUnit ITGroupsGroups

Risk AssessmentRisk Assessment AuditsAudits

Action on AuditAction on AuditFindingsFindings

Action on AuditAction on AuditFindingsFindings


Application Security Process Framework

Verify In Production Applications

Design, Develop, Test, and Verify Secure Apps

Educate IT Professionals

Maintain and Publish Policies and Guidelines

Respond to Security Exposure Incidents

Apply Lessons Learned


Application Management – Secure Infrastructure

NETWORKNETWORK HOSTHOST APPLICATIONAPPLICATION ACCOUNTACCOUNT TRUSTTRUST ArchitectureArchitecture TransportTransport Network device Network device Access control Access control

list (ACL) list (ACL) permission permission settingssettings

Operating Operating systemsystem

ServicesServices Internet Internet

Information Information Services (IIS)Services (IIS)

Simple Mail Simple Mail Transfer Transfer Protocol Protocol (SMTP)(SMTP)

File Transfer File Transfer Protocol (FTP)Protocol (FTP)

NetBIOS/NetBIOS/Remote Remote procedure call procedure call (RPC)(RPC)

TerminalTerminal ServicesServices

Microsoft Microsoft SQL Server SQL Server TMTM

Input validationInput validation Clear text Clear text

protocolprotocol AuthenticationAuthentication AuthorizationAuthorization CryptographyCryptography Auditing and Auditing and

logginglogging

Unused Unused accountsaccounts

Weak or blank Weak or blank passwordspasswords

Shared Shared accountsaccounts

Access Access privilegesprivileges

Rogue trustsRogue trusts


Building Secure Networks – Configuration• Network segmentation• Firewalls• Routers and switches


Building Secure Networks – Intrusion Detections Systems And Network Encryption

• Detection systems should monitor for– Reconnaissance attacks– Exploit attacks– Denial of service attacks

• Network encryption– Key tool in preventing sensitive data from being read – Sensitive communication should be encrypted– Industry-standard encryption methods: Secure Sockets Layer (SSL),

secure shell program such as SSH, Internet Protocol Security (IPSec)


Building Secure Hosts For Applications

• Patch management• Configuration• Permissions• Simple Network Management Protocol community strings• Antivirus software• Server auditing and logging• Server backup and restore


Application Layer Requirements

• Input validation• Session management• Authentication and authorization• Design and code review• Application and server error handling• Application auditing and logging• Application backup and restore• Private data encryption


Common Application Development Issues

• User input validation• Cookies, authentication, and access• Passwords• Access control lists• Auditing and logging


Lessons Learned

• If you wait until an application is already in production to make it secure, you are too late

• Good security practices take into account both the host and the application client

• Create clearly written and easily accessible security guideline documentation

• Create security checklists that include step-by-step instructions• Develop a thoroughly considered policy exception tracking process• Education is crucial to the success of a security program• Processes and reporting are required to ensure that inventory

information is maintained• Security is an ongoing, always changing, concern


Lessons Learnt..• 70% of applications reviewed by security firms had significant

security design flaws• Interaction between server, 3rd party code, and custom business

logic creates vulnerabilities• Patching or rebuilding app expensive• Perception exists that locking down OS and web server = web

security• Web-facing, business critical applications• HTTP & SLL open to the world• Much investment focused on infrastructure• Well understood threats, mature products• Firewalls, authentication, intrusion detection• Security many times an overlooked facet of web development

projects


Policies

• Applications should comply with application security policies and guidelines• Applications should go through a security design review process• Third-party application vendors should provide assurances that the software

does not contain anything that could be used to compromise security controls

• Internet-facing applications should use existing methods of authentication• Applications that reside on the corporate network should rely on Windows

integrated authentication • Applications that cannot use Windows integrated authentication should

either encrypt or hash the password stores • Credentials should never be stored or sent unencrypted• User input should be filtered and examined at the Web server• Web applications should use strong, nonpredictable session IDs• Web applications should use an inactivity timeout• Cookies that contain sensitive data should be marked as secure and

nonpersistent


Examples…Parameter Tampering• Price information is stored in hidden HTML field with assigned $

value• Assumption: hidden field won’t be edited• Attacker edits $ value of product in HTML• Attacker submits altered web page with new “price”• Still widespread in many web stores


Examples…Cookie Poisoning• Attacker impersonates another user

– Identifies cookie values that ID’s the customer to the site• Attacker notices patterns in cookie values

– Edits pattern to mimic another user


Un-validated Input Attack• Exploitation of implied trust relations• Instead of:

– [email protected]• Attacker inputs:

– //////////////////////////////////////////////////• Exploits lack of boundary checkers on back-end application


Thank You