Introduction to Application Security. Trinity University Computer Science. September 18 th, 2008

Transcription

1 Introduction to Application Security Trinity University Computer Science September 18 th, 2008

2 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From Here? Questions 1

3 Background Denim Group San Antonio-based consultancy Custom software development Systems integration Application security Management Team Experience Large-scale software development Air Force information warfare Client service for DoD, Big 4, Fortune 500 Presenter: Dan Cornell Software developer (MCSD, Java 2 Certified Programmer) 2

4 IMPORTANT NOTE!!! Do NOT use any of the tools or techniques discussed today on systems where you are not authorized Do NOT try to break into systems where you do not have authorization to do so Do NOT be an idiot 3

5 What is Application Security and Why is it Important? Application Security Defined Fit with General Information Security Landscape Why Does Application Security Matter 4

6 Application Security Defined Ensuring that custom application code performs as expected under the entire range of possible inputs Goals: Confidentiality Integrity Availability Relationship to Software Quality Assurance Really a sub-area of SQA SQA typically verifies that t software does what it is supposed to do Application security is concerned that software does not do what it should not do 5

7 Software Implementation Perfect World Actual Functionality Intended d Functionality 6

8 Software Implementation Real World Actual Intended d Functionality Functionality Built Features Bugs Unintended And Undocumented Functionality 7

9 Infrastructure Security Software Development: Features, functions and timelines Traditional Information Security: Audit, measure and maintain Application security applies information security principles to custom software development efforts Many traditional information security practitioners are ill- equipped to mitigate application security issues Little to no experience coding No experience coding in modern enterprise environments like.net and J2EE Understand that there are risks, but not in a position to address them 8

10 Why Does This Matter? Business-critical web applications are Internet-facing An increasing number of assets are exposed Most applications have serious flaws Foundstone studies The regulatory environment has changed Sarbanes Oxley GLB California SB-1386 PCI 9

11 Types of Vulnerabilities Technical Vulnerabilities Surface due to insecure programming techniques Typically due to poor input handling and input validation Most scanner tools primarily find technical vulnerabilities Remediation: coding changes Logical Vulnerabilities Surface due to insecure program logic Typically due to poor decisions about trust Most scanner tools are powerless to find logical vulnerabilities Most scanner tools are powerless to find logical vulnerabilities Remediation: architecture and design changes 10

12 Demonstration How do attackers view your web applications? RiskE Utility 11

13 OWASP Top 10 Critical Web Application Security Vulnerabilities Cross Site Scripting (XSS) Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) Information Leakage and Improper Error Handling Broken Authentication and Session Management Insecure Cryptographic Storage Insecure Communications Failure to Restrict URL Access ( 12

14 Application Security Landscape Web Application Firewalls Scanning and Assessment Tools Dynamic Analysis Source Code Analysis Secure Development Training SDLC Integration 13

15 What to Do? Code: Validate Inputs and Escape Outputs Design: Create Threat Models and Abuse Cases 14

16 Validate Inputs Positive validation is better than negative validation Negative validation relies on knowing all attacks and is brittle Must be an integer between 1 and 5 is better than Shouldn t contain or < characters 15

17 Escape Outputs Make sure that values are treated as data to be processed rather than code to be executed For HTML: < becomes < > becomes > &b becomes & And so on For database queries: Every database has different escape routines Use parameterized queries (or stored procedures) to make escaping the database s problem 16

18 Threat Modeling and Abuse Cases Threat Modeling is a structured way of breaking down systems to systematically look for potential security problems Out of scope for today Abuse cases involve thinking of what attackers might want to do to the software and guarding against that You will never guess everything, but you should at least try 17

19 Questions Dan Cornell Denim Group, Ltd. Web: Blog: denimgroup.typepad.com 18