Web Applications The Hacker s New Target

Web Applications The Hacker s New Target Ross Tang IBM Rational Software An IBM Proof of Technology Hacking 102: Integrating Web Application Security Testing into Development 1

Are you phished? http://www.myfoxny.com/dpp/your_money/consumer/090304_facebook_security_breaches 2

Facebook Worm 3

Hacking 102: Integrating Web Application Security Testing into Development 4

Hacking 102: Integrating Web Application Security Testing into Development 5

http://www.marketwatch.com/investing/stock/stan?countrycode=uk 6

http://www.marketwatch.com/tools/quotes/lookup.asp?lookup=_funny_behaviour_&country=us 7

http://www.marketwatch.com/investing/stock/uk:stan?countrycode= UK 8

Hacking 102: Integrating Web Application Security Testing into Development 9

The Myth: Our Site Is Safe Security We Have Firewalls in Place Port 80 & 443 are open for the right reasons We Audit It Once a Quarter with Pen Testers Applications are constantly changing We Use Network Vulnerability Scanners Neglect the security of the software on the network/web server We Use SSL Encryption Only protects data between site and user not the web application itself 10

The WEAKEST Link: Web Application last layer of defense Desktop Firewall IDS/IPS Web Applications Cross Site Scripting DoS Antispoofing Web Server Known Vulnerabilities Parameter Tampering Port Scanning Patternbased Attack Cookie Poisoning SQL Injection Manual Patching and Code Review 11

The Reality: Security and Spending Are Unbalanced Security Spending Buffer Overflow Cookie Poisoning Hidden Fields Cross Site Scripting Stealth Commanding Parameter Tampering Forceful Browsing SQL Injection Etc % of Attacks % of Dollars 75% 25% Web Applications Network Server 10% 90% 75% 2/3 of All Attacks on Information Security Are Directed to the Web Application Layer of All Web Applications Are Vulnerable Sources: Gartner, Watchfire 12

Black-box (Discovering SQL Injection) ****** SELECT * from tusers where userid= AND password= foobar 13

Example : Cross Site Scripting The Exploit Process Evil.org 1) Link to bank.com sent to user via E-mail or HTTP User 4) Script sends user s cookie and session information without the user s consent or knowledge 5) Evil.org uses stolen session information to impersonate user 2) User sends script embedded as data 3) Script/data returned, executed by browser bank.com 14

IBM Rational AppScan End-to-End Application Security REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION Security Requirements Definition AppScan Source AppScan Tester AppScan Standard AppScan ondemand (SaaS) AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting) Security requirements defined before design & implementation Build security testing into the IDE Automate Security / Compliance testing in the Build Process Security / compliance testing incorporated into testing & remediation workflows Security & Compliance Testing, oversight, control, policy, audits Outsourced testing for security audits & production site monitoring Application Security Best Practices

How Internet Banking is secure Hacking 102: Integrating Web Application Security Testing into Development 16

Nearly 1000 Companies Depend On Watchfire 9 of the Top 10 8 of the Top 10 Largest U.S. Retail Technology Banks Brands 7 of the Top 10 Pharma / Clinical Companies Multiple Large Government Agencies Veteran s Affairs Army Navy Air Force Marines Large, Complex Web Sites Highly Regulated High User Volume Extensive Customer Data 17

Security Industry Leaders Use and/or work with Watchfire solutions in their work Technology Companies Consultants and Researchers More EDS 18

Trojan Software cost $99 Constructor/Turko jan V.4 New features Remote Desktop Webcam Streaming Audio Streaming Remote passwords MSN Sniffer Remote Shell Advanced File Manager Online & Offline keylogger Information about remote computer Etc..