layer 7: securing web 2.0 - what you need to know
DESCRIPTION
Web 2.0 has provided users with enhanced capabilities, but with it comes new security risks.TRANSCRIPT
January 2007
Securing Web 2.0Securing Web 2.0
What You Need to Know
K. Scott Morrison
VP Engineering and Chief Architect
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 2
Bio Bio –– K. Scott MorrisonK. Scott Morrison
VP Engineering & Chief Architect at Layer 7 Technologies• http://www.layer7tech.com
• Layer 7 is based in Vancouver BC, Canada
Co-author of Sams’ Java Web Services Unleashed and Wrox’sProfessional JMS
• Over 50 other publications in academic journals and trade magazines
Co-Editor WS-I Basic Security Profile
Co-Author WS-Federation
Frequent speaker on Web services, XML, mobile/wireless computing systems, distributed systems architecture, and Java design issues
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 3
AgendaAgenda
� Web 2.0
� AJAX
� What’s new about this?
� The collision between AJAX & SOA
� What are the new threat vectors
� Mitigation strategies
� Infrastructure solutions
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 4
Web 2.0Web 2.0
Web 2.0 isn’t a technology
It’s actually an approach to building for the Web
Web 2.0 is:
Aggregation of content
Collaboration
Synergizing the efforts of individuals
Rich interaction models
Remember: “You” is not a technology
Graphic source: http://www.time.com/time/covers/0,16641,20061225,00.html
MySpace
Flickr
Google Maps
Google Gmail
Google Suggest
del.icio.us
…etc
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 5
AJAXAJAX
AJAX is an approach underpinning Web 2.0
Provides rich browser interaction models
� This contributes to goal of fostering individual contributions
Can also be used to aggregate content
AJAX is really a slick new name for existing technology:
1. (X)HTML and CSS for presentation markup
2. DOM and JavaScript for dynamic content
3. XMLHttpRequest (XHR), IFrame, dynamic <SCRIPT> hack
for asynchronous content retrieval
4. XML, JSON, JavaScript Objects, or just text for data communication
So what is different here?
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 6
Web 1.0Web 1.0
Network Directory Server
Corporate Network
Web Application Server
Web Browser
Firewall
Internet
User clicks link, presses button, is referred, etc
User clicks link, presses button, is referred, etc
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 7
Web 1.0 Web 1.0 (cont.)(cont.)
Network Directory Server
Corporate Network
Web Application Server
Web Browser
Firewall
Internet
HTTP GET or POST
HTTP GET or POST
HTTP headers+ Query params or POST contents
HTTP Request
AuthN, AuthR
AuthN, AuthR
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 8
Web 1.0 Web 1.0 (cont.)(cont.)
Network Directory Server
Corporate Network
Web Application Server
Web Browser
Firewall
Internet
HTML, images, JavaScript, etc
New page rendered
New page rendered
HTTP Response
User experiences long latency delays that affects
usability
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 9
Web 2.0 Web 2.0 –– AJAX ParadigmAJAX Paradigm
Network Directory Server
Corporate Network
Web Application Server
Web Browser
Firewall
Internet
Page load HTML with embedded
JavaScript Engine
Page load HTML with embedded
JavaScript Engine
… Request as before… Request as before
HTML, images, JavaScript engine, etc
HTTP Response
Separation between presentation and content retrieval
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 10
Web 2.0 Web 2.0 –– AJAX Paradigm AJAX Paradigm (cont.)(cont.)
Network Directory Server
Corporate Network
Web Application Server
Web Browser
Firewall
Internet
XML, JSON, JavaScript
Objects, text, etc
HTTP Response
HTTP GET, POST, PUT,
DELETE, HEAD, etc
HTTP GET, POST, PUT,
DELETE, HEAD, etc
HTTP Request
Service
User interacts with AJAX
engine
User interacts with AJAX
engine
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 11
Web 2.0 Web 2.0 –– Server Side AggregationsServer Side Aggregations
Network Directory Server
Corporate Network
Web Application Server
Web Browser
Firewall
Internet
RSS, ATOM, XML, etc
External Feeds and Services
User interacts with web app
server
User interacts with web app
server
Server pulls external
information
Server pulls external
information
There are also models for client-side (browser)
aggregation
This, of course could also be an AJAX-based
application
Aggregate content page
Look familiar? It’s data integration all over again…
New data, new transport, same old problems
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 12
What are the Threats?What are the Threats?
Web Browser
AJAX Engine
New Attack Surface: the AJAX engine
itself
New Attack Surface: the AJAX engine
itself
Loads of potential parameter & injection attacks. Attempts to
hijack session tokens, cookies, etc.
Cross Site Scripting (XSS), Cross Site Reference Forgery (XSRF)
Threats Against The Client
Turn off JavaScript??? No.
Lots of potentially dangerous things to query or even set.
Consider DOM:
� document.URL
� document.cookie
� document.domain
� document.referrer
� etc…
Lots of potentially dangerous things to query or even set.
Consider DOM:
� document.URL
� document.cookie
� document.domain
� document.referrer
� etc…
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 13
What are the Threats What are the Threats (cont.)(cont.)??
Corporate Network
Web Application Server
FirewallThreats Against The Server
Classic Attack Surface, but with new challenges
Classic Attack Surface, but with new challenges
In: Richer parameter attacks, XML-based DOS
attacks, etc
Out: Information leaking, integrity compromise,
injection, etc
80, 443
Big problem: XML parsers are just too helpful and
naive
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 14
What are the Threats What are the Threats (cont.)(cont.)??
Corporate Network
External Feeds and Services
Threats Against Content
Another classic attack surface, but with still more new challenges
Another classic attack surface, but with still more new challenges
In: Session hijacking, unauthorized access, etc
Out: Integrity compromise, injection of poison content like scripts into XML, etc
Note that the aggregator is just another web client. It’s not a browser, but many similar attack still apply
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 15
Why Should You Care?Why Should You Care?
Big questions around corporate responsibility
Regulatory issues around privacy (HIPAA, PIPEDA, etc)
Regulatory issues around accountability (Sarbox, etc)
Liability for forged transaction
Liability for damage from compromised servers
Not to mention huge issues around brand and reputation damage accrued
from a significant security event
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 16
Tactical Security MeasuresTactical Security Measures
Clients (browsers)
Tough area to secure
Must ensure you are serving solid code
Rigorous code review
AJAX has submarine complexity
Ensure that data streams you serve are validated
Redaction, strict validation to tightened schemas
Web Browser
���� Servers offer clean and secure
code
���� Servers offer clean and secure
code
���� Servers offer validated and cleansed data
���� Servers offer validated and cleansed data
The problem with JavaScript is that it makes it easy to write code, but hard to
write secure code
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 17
Tactical Security Measures Tactical Security Measures (cont.)(cont.)
Core Servers (Web application servers)
More control, and more mature best practices
Add rigorous AuthN, AuthR, Audit
Look at cryptographic model
Inward: DOS protect
Threat protect
Parameter validate
Outward: Schema validation and redaction
���� Validate params
���� Validate params
���� Validate and cleanse data
���� Validate and cleanse data What makes this difficult is the
added complexity of XML data structures, and the richer attack surface of service-based APIs
���� Secure channel���� Secure channel
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 18
Tactical Security Measures Tactical Security Measures (cont.)(cont.)
Aggregation Servers (Application servers)
Emerging area, with few best practices
Encourage authenticated access model
You may be forced into this anyway…
Look at cryptographic model
Incoming data: Validate feed content
Strip potential exploits like embedded
<SCRIPT> tags
���� Validate and threat protect
data feed
���� Validate and threat protect
data feed
The big problem here is you may not have control of the source of the data. A large number of sites are cracking down
on “unauthorized” use in mashups.
Furthermore, APIs may change radically, making it critical to validate the incoming feed against a schema to
catch API updates
���� Authenticate access
���� Authenticate access
���� Secure channel���� Secure channel
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 19
Thanks For Nothing Scott: Thanks For Nothing Scott: ““So How Do I Really Do This?So How Do I Really Do This?””
You could just build it into your systems…
But that is brittle and error-prone
What you really need is specialized infrastructure built for this purpose
Needs to be:
High performance
Scalable
Simple to configure
And most important: offer tunable security policy
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 20
Why Why TunableTunable Policy?Policy?
Not all services are equal:Not all services are equal:
getStockQuote():
anonymous access, unsecure channel
buyStock():
authenticated and authorized access, secured
(integrity and privacy) channel or message
Policy (the security processing model) must be customized to the business requirements
Policy (the security processing model) must be customized to the business requirements
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 21
Securing Web 2.0: SecureSpan Data ScreenSecuring Web 2.0: SecureSpan Data Screen™™
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 22
Securing Web 2.0: SecureSpan Data ScreenSecuring Web 2.0: SecureSpan Data Screen™™
� Hardware appliance for Web, REST, & AJAX security processing.
� ASICs for XML schema validation, XPath, XSLT, cryptographic operations
� Fully clustered
� Policy-based processing model
� Browser-based management and operations console
� Integration with all major directory, IAM, access control servers
� Integration with Symantec antivirus scan engine
Web Browser-based management and
operations
SecureSpan Data Screen™cluster
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 23
Securing Web 2.0: SecureSpan Data ScreenSecuring Web 2.0: SecureSpan Data Screen™™
Network Directory Server
Corporate Network
Web Application Server
Web Browser
Internet
� Wire speed schema validation of XML entering network
� Rigorous HTTP parameter validation
� Tight control over HTTP methods (GET, POST, DELETE, PUT, etc). Control over REST.
� Hardware transformation of XML content in and out of network
� Throttle access to back end services
� Traffic shaping across server farms
� XML threat detection
� Endpoint for SSL and XML document security (encryption, signature & canonicalization according to W3C specs)
� Controlled striping of <SCRIPT>, eval() (PHP, JS, Python, etc), shell injection attacks, etc to combat XSS
� Wire speed schema validation of XML entering network
� Rigorous HTTP parameter validation
� Tight control over HTTP methods (GET, POST, DELETE, PUT, etc). Control over REST.
� Hardware transformation of XML content in and out of network
� Throttle access to back end services
� Traffic shaping across server farms
� XML threat detection
� Endpoint for SSL and XML document security (encryption, signature & canonicalization according to W3C specs)
� Controlled striping of <SCRIPT>, eval() (PHP, JS, Python, etc), shell injection attacks, etc to combat XSS
Gateway Deployment For Incoming Calls
Gateway Deployment For Incoming Calls
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 24
Securing Web 2.0: SecureSpan Data ScreenSecuring Web 2.0: SecureSpan Data Screen™™
Network Directory Server
Corporate Network
Web Application Server
Web Browser
Proxy Deployment For Outgoing Calls
Proxy Deployment For Outgoing Calls
RSS, ATOM, XML, etc
External Services
� Wire speed validation of XML entering network
� Stripping of potential harmful data in feeds (<SCRIPT>, etc)
� Management of outgoing cryptography and credentials
� Wire speed transformation of XML data to insulate internal servers from external API changes
� Wire speed validation of XML entering network
� Stripping of potential harmful data in feeds (<SCRIPT>, etc)
� Management of outgoing cryptography and credentials
� Wire speed transformation of XML data to insulate internal servers from external API changes
January 2007
SecureSpan™ Gateway Overview Proprietary and Confidential 25
SummarySummary
Web 2.0 and the technologies associated with it are too good to ignore
However, they introduce huge new security complexities
The only way to deal with these effectively is with diligence, rigor, and specialized infrastructure to manage an evolving threat model
Layer 7’s SecureSpan Data Screen™ provides the tools to help secure Web 2.0, REST, AJAX, SOA, RSS and ATOM today.
January 2007
K. Scott Morrison
Layer 7 Technologies
1501 – 700 West Georgia St.
Vancouver, B.C. V7Y 1B6
Canada
(800) 681-9377
http://www.layer7tech.com
For further information: