Integrating Web Application Security into the IT Curriculum
|
|
|
- Dustin Randolf Walker
- 8 years ago
- Views:
Transcription
1 Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University
2 Topics Why should we teach web application security? What material do we need to cover? How should we cover that material? Where do we go from here?
3 Is Web Hacking Really That Easy? Exploits of a Mom, XKCD
4 Vulnerability Growth C E R T V u ln e r a b ilitie s V u ln e r a b ilitie s Year
5 Web Vulnerabilities Dominate
6 Reasons for Attacking Web Apps
7 Firewalls Don t Protect Web Apps telnet Firewall ftp Application Web Client HTTP Traffic Web Server Port 80 Application Database Server
8 Browser Malware Bypasses Firewall
9 Goals Identify and explain common vulnerabilities. Explain security implications of client-side technologies like Javascript and ActiveX. Detect security vulnerabilities in web applications using appropriate tools. Design and implement web applications that do not contain common vulnerabilities. Deploy and configure a web application in a secure manner.
10 Topic Outline Web Application Input Client-side Technologies Input-based Attacks Injection Attacks Cross-site Attacks Authentication Secure Programming Operational Security
11 Web App Security in IT2005 IPT5 Software Security WS5 Web Security Web Application Security IAS6 Security Domains IAS11 Vulnerabilities
12 Labs WebGoat exercises on specific vulnerabilities. Using a testing proxy to solve more advanced WebGoat exercises. Assessing an application using a web vulnerability scanner. Assessing a web application using a testing proxy. Reviewing the code of an application using a static analysis tool. Deploying a web application firewall. Participating in the international CTF competition.
13 WebGoat
14 Tools Web Proxies Web Application Firewalls Vulnerability Scanners Static Analysis
15 Web Proxies
16 Altering Form Parameters
17 Fuzz Testing Fuzz testing consists of Sending unexpected input. Monitoring for exceptions.
18 Web Application Firewalls What is a WAF? Web monitoring. Access control. Behind SSL endpoint. A/K/A Deep packet inspection. Web IDS/IPS. Web App Proxy/Shield. mod_security Open source. Embeds in Apache. Reverse proxy.
19 Vulnerability Scanners Spiders site. Identifies inputs. Sends list of malicious inputs to each input. Monitors responses.
20 Static Analysis Automated assistance for code auditing Speed: review code faster than humans can Accuracy: hundreds of secure coding rules Tools Results Coverity FindBugs Fortify Klocwork Ounce Labs
21 Labs WebGoat exercises on specific vulnerabilities. Using a testing proxy to solve more advanced WebGoat exercises. Assessing an application using a web vulnerability scanner. Assessing a web application using a testing proxy. Reviewing the code of an application using a static analysis tool. Deploying a web application firewall. Participating in the international CTF competition.
22 Approaches 1. Students evaluate and fix their own code. 2. Students evaluate and fix your code. 3. Students learn about their own coding mistakes. Scale of project limited to what students can write. Write a web application designed for teaching students. Students evaluate and fix someone else s code Use a web application designed for teaching. Analyze an open source web application with known vulnerabilities reported in NVD or other bug db.
23 Teaching Applications Hacme Bank, Books, Casino, Travel
24 Future Directions: AJAX Security Asynchronous Javascript and XML Expanded server side API. Server API calls can be issued in any order by attacker; cannot assume calls issued in order by your client. Larger amount of client state. Client/server communication using data (XML/JSON) rather than presentation (HTML.)
25 Future Directions: Web Sec Class Web Application Input Client-side Technologies Service Oriented Architectures AJAX Input-based Attacks Injection Attacks Race Conditions Cross-site Attacks Authentication Secure Programming Operational Security
26 Conclusions 1. Defense is shifting from network to application layer. Firewalls, anti-virus, SSL 2. Students need to learn to identify vulnerabilities. 3. input validation, WAF Static analysis of source code. Web proxies and scanners for testing. Students need to learn to remediate vulnerabiliites Web application firewalls for immediate short-term fixes. Repairing source code for long term fixes.