How to Build a Trusted Application. John Dickson, CISSP

Transcription

1 How to Build a Trusted Application John Dickson, CISSP

2 Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers

3 Denim Group, Ltd. Background Enterprise application development company with security expertise Large-scale web application development projects Application-level integration Application security assessments and secure application development

4 What is Application Security? Security associated with custom application code Focus is on web application security Versus non-internet facing applications Protection of online customer data given recent privacy lapses

5 Software Implementation Perfect World Actual Functionality Intended Functionality

6 Software Implementation Real World Actual Functionality Intended Functionality Built Features Bugs Unintended And Undocumented Functionality

7 Nature of HTTP and the Web Hyper-Text Transport Protocol (HTTP) is a light-weight application-level protocol with the speed that is necessary for distributed, collaborative information systems. HTTP is a state-less, connection-less transmission protocol Ports 80 & 443 (HTTP & HTTPS) Assumption: web servers expect request to come from browser - implicitly trust input

8 Why Application Security? More business-critical apps and customer data online Attacker community focusing on port 80/443 Complexities involved with interaction between server, 3 rd party code, and custom business logic 10% of FBI/CSI Study respondents reported misuse of public web applications Compliance pressures (SOX, GLB, HIPAA)

9 Why Application Security? Rapid dev cycle creates control weaknesses Much investment focused on infrastructure Well understood threats, mature products Firewalls, authentication, intrusion detection Security many times an overlooked facet of web development projects

10 Additional Challenges Most organizations do not have sufficiently skilled resources to cope with application security assessments Development teams typically under deadlines I love deadlines. I especially love the whooshing sound they make as they fly by. --Douglas Adams, Author, Hitchhiker's Guide to the Galaxy.

11 Examples of Potential Vulnerabilities

12 Parameter Tampering Price information is stored in hidden HTML field with assigned $ value Assumption: hidden field won t be edited Attacker edits $ value of product in HTML Attacker submits altered web page with new price Still widespread in many web stores

13 Price Changes via Hidden HTML tags

14 Price Changes via Hidden HTML tags

15 Cookie Poisoning Attacker impersonates another user Identifies cookie values that ID s the customer to the site Attacker notices patterns in cookie values Edits pattern to mimic another user

16 Cookie Poisoning

17 Cookie Poisoning

18 Cookie Poisoning

19 Cookie Poisoning

20 Unvalidated Input Attack Exploitation of implied trust relations Instead of: Attacker inputs: ////////////////////////////////////////////////// Exploits lack of boundary checkers on back-end application

21 Unvalidated Input Attack

22 Unvalidated Input Attack

23 Unvalidated Input Attack

24 Unvalidated Input Attack

25 Potential Strategies to Build Secure Apps

26 Potential Strategies to Build Secure Apps OWASP resources Attack modeling Bridge Cultural gap Assess SDLC Application Security Assessments

27 Open Web Application Security Project Top Ten List 1. Unvalidated Input 2. Broken Access Control 3. Broken Authentication and Session Management 4. Cross-Site Scripting Flaws 5. Buffer Overflows 6. Injection Flaws 7. Improper Error Handling 8. Insecure Storage 9. Denial of Service 10. Insecure Configuration Management *Source

28 OWASP Testing Background of OWASP testing No existing standards prior to OWASP Threat groups not specific threats High level concepts Industry group designed to develop common app pen test language

29 Bridge Cultural Gap Between Security and Developers Key Challenge: Build vs. Measure Cultures Application Development groups are building technical capabilities based upon evolving business requirements Corporate IS Security dept. in charge of ongoing security operations

30 Include Security in SDLC Security must become a key aspect of the development process Security requirements reflected in design plan Ensure the security is part of the iterative development process Changes to web sites are ongoing and are not static QA Group should not be last line of defense

31 Attack Modeling Provides deeper understanding of risk areas Distributed software can be attacked at many points Helps developers think differently Want to create software that is secure enough

32 Attack Modeling ID assets Create an architecture overview Understand application w/ use cases and other modeling tools ID potential threats Enumerate each threat Rank order threats for trade-off analysis

33 Code Evaluation Paths Code review auditing source code Expensive, time consuming, and takes expertise Application assessments reviews functionality and interactions of compiled applications in real-life environments Potentially superficial and only capture a % of actual vulnerabilities in custom code

34 Application Security Reviews Internal or 3 rd party process to assess internally developed applications Assessment reviews major web app vulnerabilities Use best-of-breed tools and custom scripts Integrated with client development schedule Reviews designed to coincide with key development milestones of client project

35 Application Security Reviews Commercial security scanners are becoming more widespread Automated tools are great first-round way to assess potential vulnerabilities However, in-depth assessments use custom scripts and code reviews (sometimes) Analogy of network scanners Consider Augmenting security team with internal or external.net and Java security experts

36 Assessment Benefits 3 rd -party assessment of applications by noted experts; Increase confidence & reliability in application Compliance with government regulations Sarbanes Oxley, GLB, HIPAA Satisfies potential SEC audit objectives Knowledge transfer to clients on development techniques for secure applications

37 Wrap up Application Security is emerging as a critical aspect of enterprise security Emerging best practices include iterative assessments and defense in depth Cultural, organizational, and technical challenges all may hinder an effective strategy

38 Questions and Answers? John Dickson, CISSP (210)