Web Application Security. Sajjad Pourali CERT of Ferdowsi University of Mashhad

Transcription

1 Web Application Security Sajjad Pourali CERT of Ferdowsi University of Mashhad

2 Take away Why web application security is very important Understanding web application security How to test the security of web applications Introduction to OWASP Application Security Verification Standard (ASVS) Introduction to Common Vulnerability Scoring System (CVSS) Vulnerability Reference Method Vulnerability Database 1

3 Why web application security is very important 2

4 Understanding web application security User Defines a! Query using the! Query interface Query interface sends the query to a server-side processing agent! Server-side agent respond to the query using some data source or other backend service!!! User Client-Side Interface Server-Side Processor Data Source Query results are displayed to the user Server-side agent returns query result Data Source returns query result 3

5 How to test the security of web applications Structured Methodologies Private Methodologies Public Methodologies OWASP Application Security Verification Standard (ASVS) WASC ISO/IEC Unstructured Methodologies 4

6 OWASP Application Security Verification Standard (ASVS) OWASP Application Security Verification Standard (ASVS) Introduction Goals Verification levels Cursory Opportunistic Standard Advanced Detailed verification requirements 5

7 ASVS Introduction What is ASVS Application Security Verification Standard Provides a basis for testing a web application's technical security controls Provides developers with a list of requirements for secure development Goals Performing Web application security verification Commercially-workable open standard Establishing levels of confidentiality in the security of Web applications Use as a metric Use as guidance Use during procurement 6

8 Verification levels 7

9 Level 0: Cursory Primary verification Defined by the organization Not a prerequisite for other levels 8

10 Level 1: Opportunistic Scan easy-to-find vulnerabilities Threats from attackers using simple techniques and tools Roadmap for more thorough inspections in the future 9

11 Level 2: Standard Prevalent security vulnerabilities with moderate-to-serious risk Threats from attackers using custom-tools and manual techniques Industry standard for many business applications 10

12 Level 3: Advanced Advanced and hard-to-exploit vulnerabilities Requires inspection of the application's design Threats from determined attackers focusing on specific targets Critical applications and infrastructure 11

13 Detailed verification requirements Authentication Session Management Access Control Malicious Input Handling Malicious Controls Business Logic File and Resource Mobile Cryptography at Rest Error Handling and Logging Data Protection Communications HTTP 12

14 Common Vulnerability Scoring System (CVSS) Open industry standard for assessing Attempts to assign severity scores to vulnerabilities Allows responders to prioritize responses and resources according to threat Scores are calculated based on a formula that depends on several metrics Ease of exploitation Impact of exploitation Scores range from 0 to 10 (10 being the most severe) CVSS is used to determine: Base Score (Severity) Temporal Environmental 13

15 Base Score (Severity) Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality (C) Integrity (I) Availability (A) 14

16 Temporal Score Exploit Code Maturity (E) Remediation Level (RL) Report Confidence (RC) 15

17 Environmental Score Confidentiality Requirement (CR) Integrity Requirement (IR) Availability Requirement (AR) Modified Attack Vector (MAV) Modified Attack Complexity (MAC) Modified Privileges Required (MPR) Modified User Interaction (MUI) Modified Scope (MS) Modified Confidentiality (MC) Modified Integrity (MI) Modified Availability (MA) 16

18 Vector String 17

19 Vulnerability Reference Method CVE identifier Funding by the National Cyber Security Division of the United States Department of Homeland Security Used by the Security Content Automation Protocol Identifiers for publicly known information-security vulnerabilities in publicly released software packages CVEs are assigned by a CVE Numbering Authority (CNA) Syntax CVE prefix + Year + Arbitrary Digits CVE OSVDB identifier Independent and open-source identifier Other 18

20 Vulnerability Database National Institute of Standards and Technologies (nist.gov) MITRE Corporation (mitre.org) United States Computer Emergency Readiness Team (us-cert.gov) Vulnerability Notes Database (cert.org) Open Source Vulnerability Database (osvdb.org) Security Focus (SecurityFocus.com) 19

21 Security Bulletins and Advisories 20

22 Vulnerability Specification 21

23 Question?! 22

24 References erification_standard_project