Points of View. CxO s point of view. Developer s point of view. Attacker s point of view

Transcription

1 Web App Security 2

2 CxO s point of view Points of View Measurable security SCAP (Security Content Automation Protocol) Developer s point of view Secure coding/software security CWE (Common Weakness Enumeration) Attacker s point of view Find vulnerabilities CAPEC (Common Attack Patterns Enumeration and Classification)

3 What A Developer Needs A starting point for secure coding A stepping stone to build knowledge A didactic tool Iterative learning Top X lists Implementation insecurity Design, installation, etc., insecurity Facilitators An API that embodies secure coding Put knowledge into practice Secure Design Patterns Reuse of knowledge and experience

4 Seven Pernicious Kingdoms (7PK) Taxonomy Common vocabulary Understand how failure occurs Goal of 7PK Educate developers about software errors with security impact

5 7PK Properties Each item fits into one category Not intended to be comprehensive Focus on real issues Categorization expected to change Detectable by static analysis tools Feedback to educate developers Code level security for software applications (not OS) Phyla (Vuln classes) and Kingdom (Vuln classes that share same theme) Buffer Overflow and Input Validation May be language (C), framework (Struts) specific

6 7PK 1. Input Validation and Representation 2. API Abuse 3. Security Features 4. Time and State 5. Errors 6. Code Quality 7. Encapsulation Environment

7 7PK Online

8 Developer Learning Cycle Less insecure code each time Code Rectify and Learn Check

9 Why 7PK A good place to start Practical focus on real issues A learning tool Part of OWASP/well understood/common language BUT feel free to use others

10 What About Other Insecurity? Statically Analyzable Insecurity Design, installation Issues etc. Critical Insecurity 7 Kingdoms Not Statically Analyzable Insecurity

11 Developer s Headache

12 Pareto Security OWASP Top 10 Web application focus Can be mapped on to 7PK CWE/SANS Top 25 Broader focus

13 Mapping OWASP into 7PK

14 Quote from CWE/SANS Top 25 FAQ Does not prioritize bugs Addresses only bugs during implementation/ statically analyzable Does not address security issues in design, configuration, installation, and other SDLC phases

15 Landwehr et al./viega Where How When

16 Pros Landwehr et al./viega (cont.) Easy to determine strategy If most issues occur because insecurity was introduced in design phase, then probably need more resources, e.g., security architects Easy to determine when to look for what Cons Depending on current activity, look out for related weakness Difficult to categorize issues If it is not known how the vulnerability entered the system, it is difficult to categorize

17 Secure Design Patterns Not focused on the implementation of specific security mechanisms Focus on elimination of accidental insertion of vulnerabilities into code or to mitigate the consequences of vulnerabilities Generalize existing best security design practices Extend existing design patterns with securityspecific functionality

18 Pattern Definition A pattern is a general reusable solution to a commonly occurring problem in design A description or template for how to solve a problem that can be used in many different situations An algorithm is not a pattern

19 Pattern Description Format

20 Secure Design Patterns Architectural Design Implementation

21 Architectural level Pattern Underline responsibilities between different components of the system Define the interaction between those highlevel components Example Distrustful Decomposition PrivSep (Privilege Separation) Defer to Kernel

22 Application Design Application has many users Each user may be assigned into different groups Each user needs to authenticate to the application before performing tasks A very common requirement How do you go about this?

23 Design Sketch User Table Login DB Admin Application with Access Control Read/Write Access LAN Internet

24 Privilege Separation (PrevSep) Intent Reduce the amount of code that runs with special privilege to reduce impact of successful attack Motivation Small set of simple operations (easy to verify) require elevated privileges Larger set of complex and security error prone operations run in unprivileged mode

25 PrevSep (cont.) Applicability Functions that do not require elevated privileges Have relatively large attack surfaces in that the functions Significant communication with untrusted sources Complex, potentially error prone algorithms

26 Issues with Design Sketch User Table Login DB Admin Application with Access Control Read/Write Access Login does not require Write Complex algorithm, i.e., login, admin, etc. LAN Internet

27 PrevSep Application Login Admin Read/Write Access Admin Module DB Application with Access Control User Table Read/Write Access LAN Internet

28 Intent Defer To Kernel Separate functionality that requires elevated privileges from those that do not Take advantage of existing user verification functionality available at the kernel level Motivation Reuse of user verification functionality provided by the OS kernel Don t roll own security code Already validated code Portability

29 Defer To Kernel Login User Table /etc/passwd Admin Read/Write Access Admin Module DB Application with Access Control Login Module OS Kernel Read/Write Access LAN Internet

30 Design level Pattern Address problems in the internal design of a single high level component Not the definition and interaction of high level components themselves Example Secure Factory Secure Strategy Factory Secure Builder Factory Secure Chain of Responsibility Secure State Machine Secure Visitor

31 Builder Factory RTFReader ParseRTF() if choice == HTML { builder = new HTMLConverter } else { builder = new ASCIIConverter } while (t = get next token) { switch(t.type) { CHAR: builder->convertchar() FONT: builder->convertfont() PARA: builder->convertpara() } } TextConverter ConvertChar() ConvertFont() ConvertPara() GetOutput() ASCIIConverter ConvertChar() GetOutput() Concrete Builders Abstract Builder HTMLConverter ConvertChar() ConvertFont() ConvertPara() GetOutput()

32 Builder Factory Intent Separate the construction of complex object from representations The same construction process can create different representations

33 Intent Secure Builder Factory Separate security dependent rules involved in creating a complex object from the basic steps involved in actually creating the object Process A caller for Secure Builder Factory pattern based on a specific set of security credentials Pattern implementation uses the given security credentials to select and return the appropriate object implementing the Builder pattern The builder object builts the complex object

34 Secure Builder Factory DisplayData DisplayData (credentials, ID) if credentials == admin { builder = new TrustedPDMS } else { builder = new UntrustedPDMS } builder->setname(id) data = builder->getsqlresult() show(data) PDMS TrustedPDMS SetName() GetJob() GetSSN() GetSQLResult() SetName() GetJob() GetSSN() GetSQLResult() Abstract Builder UntrustedPDMS SetName() GetJob() GetSSN() => nil GetSQLResult() NOTE: PDMS is persistent data management system Concrete Builders

35 Implementation level Pattern Implementation of specific functions Address the same problem set addressed by the CERT Secure Coding Standards Often linked to a corresponding secure coding guideline Example Secure Logger Clear Sensitive Information Secure Directory Pathname Canonicalization Input Validation Resource Acquisition Is Initialization

36 Enterprise Security API (ESAPI) Enables developer to focus on functional goals Discourages developer to roll their own security mechanisms Facade, Bridge pattern No lock in and modular ala JCE

37 ESAPI in A Picture Embodies OWASP Top Ten Mitigation

38 Architecture Overview Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries 38

39 Coverage OWASP Top Ten OWASP ESAPI A1. Cross Site Scripting (XSS) A2. Injection Flaws A3. Malicious File Execution A4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error Handling A7. Broken Authentication and Sessions A8. Insecure Cryptographic Storage A9. Insecure Communications A10. Failure to Restrict URL Access Validator, Encoder Encoder HTTPUtilities (upload) AccessReferenceMap User (csrftoken) EnterpriseSecurityException, HTTPUtils Authenticator, User, HTTPUtils Encryptor HTTPUtilities (secure cookie, channel) AccessController

40 Handling Authentication and Identity User Controller Business Functions Data Layer Backend ESAPI Users Authentication Access Control Logging Intrusion Detection

41 Cross Site Request Forgery bank.com Cookie with credentials RandomToken=sdfkjh234jsdf Go to Transfer Assets Submit Transaction attacker s post at blog.net 41 Adopted from Eric Sheridan (Aspect Security Inc.) OWASP

42