WEB APPLICATION SECURITY
|
|
|
- Sharyl Ward
- 8 years ago
- Views:
Transcription
1 WEB APPLICATION SECURITY Governance and Risk Management YOUR LAST LINE OF DEFENSE Aug ANSES RAH RAH Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software
2 Prolog / Disclaimer: State of Application Security Awareness Today Half the people don t know about it Of the other half who may know something about it ½ of whom may know quite abit about it but ½ of these tend it keep the matter to themselves and/or assume others know as much about it The other half tend to be opinionated Of the other half ½ of these think its other people s job /problem The other ½ don t care about it or don t want to know about it they have other things to worry about or Don t want to take on additional work Or fear if they can t deal with it well they will get into trouble with the bos So we still have a long way to go 2
3 Smarter planet opportunities driven by Web-enabled applications The Opportunity smarter planet Globalization and Globally Available Resources Access to streams of information in the Realtime Web 2.0 SOA Billions of mobile devices accessing the Web New Forms of Collaboration 3
4 Prolog: The Security Journey Continues New, More, Bigger, Better SYSTEMS APPLICATIONS SERVICES -> New Risks -> New Vulnerabilities -> New Hacking methods Viruses, Worms, RATS, Bots (Remote Access TROJANS = Spyware) -> NEW: GOVERNANCE & COMPLIANCE! Data Privacy Data Leakage 4
5 Regulation & Compliance SARBANES-OXLEY, HIPAA, BASEL II It is part of doing business Business Continuity An environment of TRUST For doing business Ensure Orderliness in Internet world Promote Economic growth More than just Confidentiality, Integrity and Availability Privacy 3 rd Party Customer Data 5
6 GOVERNANCE AND COMPLIANCE ILLEGAL TO STEAL AND /OR MISUSE DATA INCLUDING ELECTRONIC DATA 6
7 It Gets Worse WAP, GPRS, EDGE, 3G 802.1x Broadband 7 A hacker no longer needs a big machine
8 Changing security landscape creates complex threats Web-enabled applications drive the need for security New applications are increasing the attack surface Complex Web applications create complex security risks Making applications more available to good users, makes them more available to bad users Web attacks are evolving to blended attacks (i.e. planting of malware on legitimate Web sites) Desktop: Browser Server: Hypervisor and Virtualization Web Applications 8
9 The Myth: Our Site Is Safe We Have Firewalls and IPS in Place Port 80 & 443 are open for the right reasons We Audit It Once a Quarter with Pen Testers Applications are constantly changing We Use Network Vulnerability Scanners Neglect the security of the software on the network/web server We Use SSL Encryption Only protects data between site and user not the web application itself 9
10 SOMETHING Governance & Risk Management IS STILL OUT THERE 10
11 11
12 12
13 13
14 14
15 May 7, 2009 CNet Tech News Governance & Risk Management Report: Hackers broke into FAA air traffic control systems 15
16 16
17 Reality: Security and Spending Are Unbalanced of All Attacks on Information Security are 75% Directed to the Web Application Layer 2/3 of All Web Applications are Vulnerable **Gartner 17
18 WHY DO HACKERS TODAY TARGET APPLICATIONS? Because they know you have firewalls So its not very convenient to attack the network anymore But they still want to attack cos they still want to steal data Because firewalls do not protect against app attacks! So the hackers are having a field day! Very few people are actively aware of application security issues Because web sites have a large footprint No need to worry anymore about cumbersome IP addresses Because they can! It is difficult or impossible to write a comprehensively robust application Developers are yet to have secure coding as second nature Developers think differently from hackers Cheap, Fast, Good choose two, you can t have it all It is a nightmare to manually QA the application Many companies today still do not have a software security QA policy or resource 18
19 Top Hack Attacks Today Target Web Applications 19
20 Web Application Hacks are a Business Issue Application Threat Negative Impact Potential Business Impact Buffer overflow Denial of Service (DoS) Site Unavailable; Customers Gone Cookie poisoning Session Hijacking Larceny, theft Hidden fields Site Alteration Illegal transactions Debug options Admin Access Unauthorized access, privacy liability, site compromised Cross Site scripting Identity Theft Larceny, theft, customer mistrust Misdirect customers to bogus site Stealth Commanding Access O/S and Application Access to non-public personal information, fraud, etc. Parameter Tampering Fraud, Data Theft Alter distributions and transfer accounts Forceful Browsing/ SQL Injection 20 Unauthorized Site/Data Access Read/write access to customer databases
21 21
22 22
23 23
24 24
25 25
26 26
27 25-27 FEB 2009, GOLD COAST, AUSTRALIA NOW WITH ANTI CROSS-SITE-SCRIPTING FILTER! 27
28 Now there s Web Man-in-the Middle Attacks First presented at OWASP AP Conference Mar 09 Brisbane 28
29 Malware on Web Applications Malware can be delivered in many ways: , IM, network vulnerabilities Today, Malware is primarily delivered via Web Applications: Aims to infect those browsing the site Installed via Client-Side (e.g. Browser) Vulnerabilities & Social Engineering Malicious content can be downloaded: From the web application itself Through frames & images leading to other websites Through links leading to malicious destinations Legitimate Sites Hijacked to distribute Malware! McAfee, Asus, US Govt Staff Travel Site, Wordpress.org, SuperBowl, <script src=file.js> IFrame (ads.com) Image (host.com)
30 Governance Real & Example: Risk Management Online Travel Reservation Portal Change the reserid to
31 Real Example : Governance & Risk Management Parameter Tampering Reading another user s transaction insufficient authorization Another customer s transaction slip is revealed, including the address 31
32 Governance Parameter & Risk ManagementTampering Reading another user s invoice The same customer invoice that reveals the address and contact number 32
33 Attacks Sophistication vs. Intruder Knowledge High Intruder Knowledge Tools Low Attack Sophistication Today 33
34 Governance DON T & Risk TRY Management THIS AT HOME! 34
35 Software Application Development Pressures Today I m being asked to: Deliver product faster (a lot faster!) Increase product innovation Improve quality Reduce cost Deliver a secure product (?) 35
36 WHY DO APPLICATION SECURITY PROBLEMS EXIST? IT security solutions and professionals are normally from the network /infrastructure /sysadmin side They usually have little or no experience in application development And developers typically don t know or don t care about security or networking Most companies today still do not have an application security QA policy or resource IT security staff are focused on other things and are swarmed App Sec is their job but they don t understand it and don t want to deal with it Developers think its not their job or problem to have security in coding People who outsource expect the 3 rd party to security-qa for them It is cultural currently to not associate security with coding Buffer Overflow has been around for 25 years! Input Validation is still often overlooked. 36
37 Top 10 OWASP Critical Web Application Security Issues 09 1 Unvalidated Input 2 Broken Access Control 3 Broken Authentication and Session Management 4 Cross Site Scripting Flaws 5 Buffer Overflows 6 Injection Flaws 7 Improper Error Handling 8 Insecure Storage 9 Denial of Service 10 Insecure Configuration Management 37
38 SECURITY TESTING IS PART OF SDLC QUALITY TESTING Collaborative Application Lifecycle Management SDLC Quality Assurance Quality Dashboard Requirements Management Test Management and Execution Defect Management Create Plan Build Tests Manage Test Lab Report Results Open Platform Best Practice Processes Functional Testing SAP Java Performance Testing TEAM SERVER Open Lifecycle Service Integrations Web Service Quality Code Quality System z, i.net Security and Compliance homegrown 38
39 Building security & compliance into the SDLC further back SDLC Coding Build QA Security Production Developers Enable Security to effectively drive remediation into development Developers Developers Provides Developers and Testers with expertise on detection and remediation ability Ensure vulnerabilities are addressed before applications are put into production 39
40 THE NEED FOR SECURITY IN SOFTWARE DEVELOPMENT HAS COME OF AGE NOW SOFTWARE CISSP 1. Secure Software Concepts 2. Secure Software Requirements 3. Secure Software Design 4. Secure Software Coding and Implementation 5. Secure Software Testing 6. Software Acceptance 7. Software Deployment, Operations, Maintenance and Disposal 40
41 Conclusion: Application QA for Security The Application Must Defend Itself You cannot depend on firewall or infrastructure security to do so Bridging the GAP between Software development and Information Security QA Testing for Security must now be integrated and strategic We need to move security QA testing back to earlier in the SDLC at production or pre-production stage is late and expensive to fix Developers need to learn to write code defensively and securely Lower Compliance & Security Costs by: Ensuring Security Quality in the Application up front Not having to do a lot of rework after production 41
42 SDLC Governance & QA Risk Management - YOUR LAST LINE OF DEFENSE 42
43 Governance and Risk Management WEB APPLICATION SECURITY YOUR LAST LINE OF DEFENSE Thank You Anthony LIM MBA CISSP CSSLP FCITIL