Application Security Best Practices. Wally LEE <wally.lee@scs.com.sg> Principal Consultant

Similar documents
WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

The Top Web Application Attacks: Are you vulnerable?

CS5008: Internet Computing

What is Web Security? Motivation

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Ethical Hacking as a Professional Penetration Testing Technique

A Decision Maker s Guide to Securing an IT Infrastructure

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

CMPT 471 Networking II

Gateway Security at Stateful Inspection/Application Proxy

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Where every interaction matters.

Web Application Security

Protecting Your Organisation from Targeted Cyber Intrusion

Rational AppScan & Ounce Products

Concierge SIEM Reporting Overview

Web Application Vulnerability Testing with Nessus

Passing PCI Compliance How to Address the Application Security Mandates

Web Engineering Web Application Security Issues

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Thick Client Application Security

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Firewalls. Chapter 3

INTRODUCTION TO FIREWALL SECURITY

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Cloud Security:Threats & Mitgations

A S B

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

(WAPT) Web Application Penetration Testing

Adobe Systems Incorporated

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

74% 96 Action Items. Compliance

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Payment Card Industry (PCI) Data Security Standard

Global Partner Management Notice

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

FISMA / NIST REVISION 3 COMPLIANCE

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Using Free Tools To Test Web Application Security

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Magento Security and Vulnerabilities. Roman Stepanov

Web Application Security

Sitefinity Security and Best Practices

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

5 Steps to Advanced Threat Protection

Overview of the Penetration Test Implementation and Service. Peter Kanters

locuz.com Professional Services Security Audit Services

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Chapter 9 Firewalls and Intrusion Prevention Systems

How to Grow and Transform your Security Program into the Cloud

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Web application security

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Common Security Vulnerabilities in Online Payment Systems

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Web Application Penetration Testing

Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

From the Bottom to the Top: The Evolution of Application Monitoring

Achieving PCI-Compliance through Cyberoam

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls P+S Linux Router & Firewall 2013

Implementation of Web Application Firewall

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering

Firewalls, Tunnels, and Network Intrusion Detection

Guideline on Auditing and Log Management

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

IJMIE Volume 2, Issue 9 ISSN:

OWASP AND APPLICATION SECURITY

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Guidelines for Web applications protection with dedicated Web Application Firewall

Security Testing and Vulnerability Management Process. e-governance

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Web Application Security

Network Security Audit. Vulnerability Assessment (VA)

Application Security Testing

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Transcription:

Application Security Best Practices Wally LEE <wally.lee@scs.com.sg> Principal Consultant 17/18 March 2009

Speaker Profile Wally LEE CISSP BS7799 Lead Auditor Certified Ultimate Hacking Instructor Certified Ultimate Web Hacking Instructor Principal Consultant, NCS IT Security Consulting Services Security Practitioner with more than 14 years experience Conducted numerous audits on agencies, ministries and FSI Conducted web application penetration test on hundreds of Web Applications Security Expertise include: Web Application Penetration Test, Architecture Design, Compliance, OS Hardening, Computer Forensic, Incident Response, Audit.

AGENDA TCP Non-Blinding Spoofing attack Demo Firewall and Log correlation Application Security in Enterprise Network Web Application Testing and challenges Conclusions

TCP Non-Blinding Spoofing attack Recently talk on famous sites redirect to a specific china site TCP 3-way handshake Only in windows with firefox or IE (it doesn t mater which browser) Detailed explanation on how it takes advantage of the 3-way handshake Demo

Web site being redirect. http://www.zdnet.com.tw/news/web/0,2000085679,20136641,00.htm

Background Some users in Taiwan are mysteriously redirect to a particular website in China (that host malware and rumored 0 days IE exploit) www.msn.com.tw, tw.msn.com, taiwan.cnet.com Not the famous DNS flaws (by Dan Kaminsky) It is confirmed those sites are not compromised

CISCO Advisory

TCP 3-way handshake Client Server SYN Seq# 1234 SYN+ACK Ack# 1235 + Seq# 5678 ACK Ack# 5679 GET http://www.example.com Seq#5679 NxtSeq# 8888 HTTP Contents Ack#8888

Non-binding Attack Client Server SYN Seq# 1234 SYN+ACK Ack# 1235 + Seq# 5678 ACK Ack# 5679 GET http://www.example.com Seq#5679 NxtSeq# 8888 HTTP Contents Ack#8888 HTTP 302 Redirect Fin + Ack#8888

TCP Non-Blinding Spoofing Takes place when the attacker is on the same subnet as the victim The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately The biggest threat of spoofing in this instance would be session hijacking This is accomplished by corrupting the datastream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection.

Demo Internet GET http://www.example.com 302 Redirect http://www.maicious_site

What happen? Windows received a FIN+ACK packet with a data payload of url re-direct content (HTTP 302 Document Moved) According to RFC 793, FIN+ACK packets are not supposed to carry any data payload Windows sent a RST+ACK error packet after it received the FIN+ACK packet

One of the culprits

Risks that we are (may be) facing Default Homepage on newly installed Windows machines (for Chinese Windows) Re-direct to phishing site Re-direct to site hosting malicious wares (rumored IE/Firefox 0 day exploit to take advantage of browser vulnerability) For more reading: http://armorize-cht.blogspot.com/2009/03/ip-spoofingarp-spoofingarprouter.html

Web Application Security

Web Application Hacking 75% of today s attacks are on the web application (Gartner) Attacks are mainly with criminal intent (vs trophy-hacking) You can t patch it, you need to rewrite code (it s your own code) Attacks cannot be readily detected if no one reviews database or web application transaction logs Even the best programmers write insecure code Never trust data which is presented to you assume all input data and remote clients are hostile A quick and dirty alternative to source code review

Decompose Web App Web Application Components Web Client IE, Netscape, Firefox, etc. HTTP request Transport Clear-text or SSL HTTP reply (HTML, JavaScript, VBscript, etc) Web Server Apache IIS Netscape, etc Web App Web App Web App Web App Perl C++ CGI JSP ASP PHP etc. DB DB ADO, ODBC, etc. SQL, Oracle, etc. Presentation Layer Data Processing Layer Data Storage Layer

Penetration Test Objectives Provides a snapshot of the current level of exposure Identify & prioritise visible vulnerabilities (whether from an external or internal network perspective) Provide recommendations to mitigate or rectify these vulnerabilities.

Web Application Penetration Test Automated Scanning vs Manual Penetration Testing Web application vulnerabilities can be grouped into two categories: Technical (Programmic) Logical (Business Logic) Both can be discovered by OWASP Top 10

OWASP Top 10 WebApp Vulnerabilities A1- Unvalidated Input A2 - Broken Access Control A3 - Broken Authentication and Session Management A4 - Cross Site Scripting (XSS) Flaws A5 - Buffer Overflows http://www.owasp.org A6 - Injection Flaws A7 - Improper Error Handling A8 - Insecure Storage A9 - Denial of Service A10 - Insecure Configuration Management

Automated Web Application Penetration Test Automated Web Application Vulnerability Scanning Focus on programmic test Technical vulnerabilities include: Cross-site scripting (XSS) Injection flaws Buffer overflows OWASP Top 10 LHF (Low Hanging Fruit)

Manual Web Application Penetration Test Focus on logic testing Logical vulnerabilities are much harder to explicitly categorize Logical vulnerabilities manipulate the logic of the application to get it do things it was never intended to be. eg 1: Reset user password by guessing the answer to security question eg 2: Authenticated as User A, try to read User B data

Things that Automated tool can t do Automated tool can't (or limited) fill in forms for you automatically, so there is coverage issue Automated tools can't test logical issues like authorization problems since they won't understand your business logic Automated tools can t tell you the exact problem, you still need a human to understand and verify the vulnerabilities detected

NCS Web Application Pen-Test Methodology Black box testing approach Purely TCP 80/443 (or other predefined web services port) Hacking through a web browser and a web proxy (to manipulate variables and values send across) Covers OWASP Top 10 Web Application Vulnerabilities Both automated (Programmic) and manual (Business Logic) testing Lead and execute by Principal Consultant with a team of qualified and experience (senior) consultants Preparation and Sandbox Definition Reconnaissance and Account Harvesting Vulnerability Scanning and Selection Approvals and Execution of Exploits Clean Up and Report Preparation

Enterprise Security Services ASSESS Policy Review Compliance Reviews Penetration Testing Risk, Threat, Vulnerability Assessment Security Assessment Services DESIGN Access Control Secure Networks Intrusion Prevention Content Security + Identity Management Policy Compliance Endpoint Security Threat Management EXECUTE Enterprise Security Solutions PROTECT Incident Response Log Analysis Monitoring & Management Security Advisories Managed Security Services TRAIN Formal Vendor Education Customised Courseware Education Services

Our Security Consulting Services Security Policy Development and Compliance Review Host and Application Security Compliance Review Network and Web Application Penetration Testing Security baseline creation and hardening ASSESS Policy Review Compliance Reviews Penetration Testing Risk, Threat, Vulnerability Assessment

Firewall and logs correlation

Firewall Rules No. Source Destination Service Action 1 Any Web servers http Allow https 2 Any Any Any Drop HTTP:80 Web servers FTP:21 Skype:80 MSN:80

What are we running on port 80? Collaboration / Media SaaS Personal

Applications Have Changed Firewalls Have Not The gateway at the trust border is the right place to enforce policy control - Sees all traffic - Defines trust boundary SaaS Collaboration / Media Personal BUT Applications Have Changed - Ports Applications - IP Addresses Users - Packets Content Need to Restore Visibility and Control in the Firewall

Limitation of current Firewall Unable to identify applications only ports and protocols Cannot see user identity from AD only IP addresses (DHCP) Need to correlated IP address with user credential Integration of firewall with AD to get credential? Not able to isolate access based on group, function, user credential etc.

Policy-based Control Isolates Access Limit access to cardholder zone to only Finance users in Active Directory (rule 1) Finance Users Cardholder Servers Limit application usage to only Oracle (rule 1) Block inbound threats (rule 1) Infrastructure Servers Monitor/block outbound cardholder data transfer (rule 1) Deny and log all else (rule 2) Users WAN and Internet Development Servers

Logs Correlation To log or not to log, that s the question To logs centrally To correlate the logs Firewall, IPS/IDS Web servers Web application Databases SIEM solution

Where are the logs? src ip & src port dst ip & dst port Web user ID Application logs DB logs OS Logs Internet IPS Network Tier Web Servers Presentation Tier Application Servers Application Tier Data Storage Tier Exchanges AD

Information Overload The problem with threat detection systems is that they produce so much information that it s difficult to determine what information requires action. IPS

Security Event Management Challenges Security information data over load What business assets are threatened? What course of action should I take to remediate threats? Help Desk Legal Dept Security Information Management 100s Compliance Incidents Security Intelligence Correlation Prioritization 100,000s Events Workflow Event Management IDS/IPS, IDM, Firewall, Antivirus Policy Compliance Vulnerability Assessment 10,000,000s Network, Host, and Security Log Data Log Consolidation IDS/IPS, IDM, Firewall, Antivirus Policy Compliance Vulnerability Assessment

Issues that the Enterprise Network is facing Too many logs, normalization and filtering are a necessity Sophisticated attacks that need multiple devices logs to correlate Web application logs and backend db connection not in sync Each device provides its own perspective of events (may or may not be useful) Need common linkage information by additional devices Web Application firewall, database gateway

What to correlate? Web Users < = > DB? Web user ID Application logs DB logs OS Logs Internet IPS src ip & src port dst ip & dst port Network Tier WAF Web Servers Presentation Tier Application Servers Application Tier DB firewall Data Storage Tier Exchanges AD

Tracks Web Users to the Database Connection pooling (one DB account for many app users) makes it difficult to tell who accessed what data With web application firewall and DB gateway logging, we could track what data was accessed through the application by which web user User Know ledge

Logs lifecycle? Firewall Logs IPS Logs DHCP Logs Router / Switches Logs Attack Web Login / AD Username Database Logs Application Logs

Enterprise Security Services ASSESS Policy Review Compliance Reviews Penetration Testing Risk, Threat, Vulnerability Assessment Security Assessment Services DESIGN Access Control Secure Networks Intrusion Prevention Content Security + Identity Management Policy Compliance Endpoint Security Threat Management EXECUTE Enterprise Security Solutions PROTECT Incident Response Log Analysis Monitoring & Management Security Advisories Managed Security Services TRAIN Formal Vendor Education Customised Courseware Education Services

Why Us? Real-world experience People, Process, Technology approach Understand the lifecycle process Standards-compliant Technical excellence Defence-in-Depth strategy Strong business and technology partnerships

Thank You Let us be a Value Creator for your organisation

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information