How to Build a Trusted Application John Dickson, CISSP
Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers
Denim Group, Ltd. Background Enterprise application development company with security expertise Large-scale web application development projects Application-level integration Application security assessments and secure application development
What is Application Security? Security associated with custom application code Focus is on web application security Versus non-internet facing applications Protection of online customer data given recent privacy lapses
Software Implementation Perfect World Actual Functionality Intended Functionality
Software Implementation Real World Actual Functionality Intended Functionality Built Features Bugs Unintended And Undocumented Functionality
Nature of HTTP and the Web Hyper-Text Transport Protocol (HTTP) is a light-weight application-level protocol with the speed that is necessary for distributed, collaborative information systems. HTTP is a state-less, connection-less transmission protocol Ports 80 & 443 (HTTP & HTTPS) Assumption: web servers expect request to come from browser - implicitly trust input
Why Application Security? More business-critical apps and customer data online Attacker community focusing on port 80/443 Complexities involved with interaction between server, 3 rd party code, and custom business logic 10% of FBI/CSI Study respondents reported misuse of public web applications Compliance pressures (SOX, GLB, HIPAA)
Why Application Security? Rapid dev cycle creates control weaknesses Much investment focused on infrastructure Well understood threats, mature products Firewalls, authentication, intrusion detection Security many times an overlooked facet of web development projects
Additional Challenges Most organizations do not have sufficiently skilled resources to cope with application security assessments Development teams typically under deadlines I love deadlines. I especially love the whooshing sound they make as they fly by. --Douglas Adams, Author, Hitchhiker's Guide to the Galaxy.
Examples of Potential Vulnerabilities
Parameter Tampering Price information is stored in hidden HTML field with assigned $ value Assumption: hidden field won t be edited Attacker edits $ value of product in HTML Attacker submits altered web page with new price Still widespread in many web stores
Price Changes via Hidden HTML tags
Price Changes via Hidden HTML tags
Cookie Poisoning Attacker impersonates another user Identifies cookie values that ID s the customer to the site Attacker notices patterns in cookie values Edits pattern to mimic another user
Cookie Poisoning
Cookie Poisoning
Cookie Poisoning
Cookie Poisoning
Unvalidated Input Attack Exploitation of implied trust relations Instead of: john@doe.com Attacker inputs: ////////////////////////////////////////////////// Exploits lack of boundary checkers on back-end application
Unvalidated Input Attack
Unvalidated Input Attack
Unvalidated Input Attack
Unvalidated Input Attack
Potential Strategies to Build Secure Apps
Potential Strategies to Build Secure Apps OWASP resources Attack modeling Bridge Cultural gap Assess SDLC Application Security Assessments
Open Web Application Security Project Top Ten List 1. Unvalidated Input 2. Broken Access Control 3. Broken Authentication and Session Management 4. Cross-Site Scripting Flaws 5. Buffer Overflows 6. Injection Flaws 7. Improper Error Handling 8. Insecure Storage 9. Denial of Service 10. Insecure Configuration Management *Source www.owasp.org
OWASP Testing Background of OWASP testing No existing standards prior to OWASP Threat groups not specific threats High level concepts Industry group designed to develop common app pen test language
Bridge Cultural Gap Between Security and Developers Key Challenge: Build vs. Measure Cultures Application Development groups are building technical capabilities based upon evolving business requirements Corporate IS Security dept. in charge of ongoing security operations
Include Security in SDLC Security must become a key aspect of the development process Security requirements reflected in design plan Ensure the security is part of the iterative development process Changes to web sites are ongoing and are not static QA Group should not be last line of defense
Attack Modeling Provides deeper understanding of risk areas Distributed software can be attacked at many points Helps developers think differently Want to create software that is secure enough
Attack Modeling ID assets Create an architecture overview Understand application w/ use cases and other modeling tools ID potential threats Enumerate each threat Rank order threats for trade-off analysis
Code Evaluation Paths Code review auditing source code Expensive, time consuming, and takes expertise Application assessments reviews functionality and interactions of compiled applications in real-life environments Potentially superficial and only capture a % of actual vulnerabilities in custom code
Application Security Reviews Internal or 3 rd party process to assess internally developed applications Assessment reviews major web app vulnerabilities Use best-of-breed tools and custom scripts Integrated with client development schedule Reviews designed to coincide with key development milestones of client project
Application Security Reviews Commercial security scanners are becoming more widespread Automated tools are great first-round way to assess potential vulnerabilities However, in-depth assessments use custom scripts and code reviews (sometimes) Analogy of network scanners Consider Augmenting security team with internal or external.net and Java security experts
Assessment Benefits 3 rd -party assessment of applications by noted experts; Increase confidence & reliability in application Compliance with government regulations Sarbanes Oxley, GLB, HIPAA Satisfies potential SEC audit objectives Knowledge transfer to clients on development techniques for secure applications
Wrap up Application Security is emerging as a critical aspect of enterprise security Emerging best practices include iterative assessments and defense in depth Cultural, organizational, and technical challenges all may hinder an effective strategy
Questions and Answers? John Dickson, CISSP john@denimgroup.com (210) 572-4400