Web Applications The Hacker s New Target

Transcription

1 Web Applications The Hacker s New Target Ross Tang IBM Rational Software An IBM Proof of Technology Hacking 102: Integrating Web Application Security Testing into Development 1

2 Are you phished? 2

3 Facebook Worm 3

4 Hacking 102: Integrating Web Application Security Testing into Development 4

5 Hacking 102: Integrating Web Application Security Testing into Development 5

6 6

7 7

8 UK 8

9 Hacking 102: Integrating Web Application Security Testing into Development 9

10 The Myth: Our Site Is Safe Security We Have Firewalls in Place Port 80 & 443 are open for the right reasons We Audit It Once a Quarter with Pen Testers Applications are constantly changing We Use Network Vulnerability Scanners Neglect the security of the software on the network/web server We Use SSL Encryption Only protects data between site and user not the web application itself 10

11 The WEAKEST Link: Web Application last layer of defense Desktop Firewall IDS/IPS Web Applications Cross Site Scripting DoS Antispoofing Web Server Known Vulnerabilities Parameter Tampering Port Scanning Patternbased Attack Cookie Poisoning SQL Injection Manual Patching and Code Review 11

12 The Reality: Security and Spending Are Unbalanced Security Spending Buffer Overflow Cookie Poisoning Hidden Fields Cross Site Scripting Stealth Commanding Parameter Tampering Forceful Browsing SQL Injection Etc % of Attacks % of Dollars 75% 25% Web Applications Network Server 10% 90% 75% 2/3 of All Attacks on Information Security Are Directed to the Web Application Layer of All Web Applications Are Vulnerable Sources: Gartner, Watchfire 12

13 Black-box (Discovering SQL Injection) ****** SELECT * from tusers where userid= AND password= foobar 13

14 Example : Cross Site Scripting The Exploit Process Evil.org 1) Link to bank.com sent to user via or HTTP User 4) Script sends user s cookie and session information without the user s consent or knowledge 5) Evil.org uses stolen session information to impersonate user 2) User sends script embedded as data 3) Script/data returned, executed by browser bank.com 14

15 IBM Rational AppScan End-to-End Application Security REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION Security Requirements Definition AppScan Source AppScan Tester AppScan Standard AppScan ondemand (SaaS) AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting) Security requirements defined before design & implementation Build security testing into the IDE Automate Security / Compliance testing in the Build Process Security / compliance testing incorporated into testing & remediation workflows Security & Compliance Testing, oversight, control, policy, audits Outsourced testing for security audits & production site monitoring Application Security Best Practices

16 How Internet Banking is secure Hacking 102: Integrating Web Application Security Testing into Development 16

17 Nearly 1000 Companies Depend On Watchfire 9 of the Top 10 8 of the Top 10 Largest U.S. Retail Technology Banks Brands 7 of the Top 10 Pharma / Clinical Companies Multiple Large Government Agencies Veteran s Affairs Army Navy Air Force Marines Large, Complex Web Sites Highly Regulated High User Volume Extensive Customer Data 17

18 Security Industry Leaders Use and/or work with Watchfire solutions in their work Technology Companies Consultants and Researchers More EDS 18

19 Trojan Software cost $99 Constructor/Turko jan V.4 New features Remote Desktop Webcam Streaming Audio Streaming Remote passwords MSN Sniffer Remote Shell Advanced File Manager Online & Offline keylogger Information about remote computer Etc..