1 / 83

Secure software development for the World Wide Web

Secure software development for the World Wide Web. Derek Mathieson Group Leader Advanced Information Systems CERN – Geneva, Switzerland. Agenda. Impact of Security Flaws Definitions Types of Attack Techniques / Solutions. Why Secure Web Application?. Impact of Security Flaws.

haig
Download Presentation

Secure software development for the World Wide Web

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Secure software development for the World Wide Web Derek MathiesonGroup LeaderAdvanced Information Systems CERN – Geneva, Switzerland

  2. Agenda • Impact of Security Flaws • Definitions • Types of Attack • Techniques / Solutions

  3. Why Secure Web Application?

  4. Impact of Security Flaws • Ping of death • Morris worm (1988) • ~6,000 infected computers • Santy (2004) • ~40,000 infected computers (in 24 hours) • Conficker (2008) • 17,000,000 infected computers

  5. US Army • Computer Virus Hits U.S. Drone Fleet

  6. SONY PlayStation Network

  7. SonyPictures.com

  8. SONY PlayStation Network

  9. Top 25 Software Errors

  10. Top 25 Software Errors

  11. Definitions • Identification • Authentication • Authorisation • Session Management

  12. Identification / Authentication • How Can You Prove Who You Are? • Biometric Passport • Photo ID • Fingerprint • Username / Password

  13. Definitions • Entity • A User, another computer system component • Identification • Providing credential such that a system can recognise the entity and distinguish it from other entities. • Authentication • The process of verifying the identity of an entity.

  14. Authentication Factors • Something an entity knows: • Password, PIN • Something an entity has: • ID Card, private key • Something an entity is: • Fingerprint, iris scan, …

  15. Authentication • Single / Multi-factor Authentication • Password only • Password + Fingerprint • Trade-off between • Convenience • Cost • Complexity • Security

  16. Identity Theft • Compromised Passwords • Self Service password reset • Lost ID Cards • Blocking List • Compromised Private Keys • CRL • What about Biometrics? • No easy solution

  17. Passwords • Server good practices • Never store them in ‘clear’ • Use encrypted communication protocols (SSL) • Log authentication failures • Use generic error messages: • User/password combination not recognised’ • Show user • Last login date • Previous failed login attempts

  18. Web Authentication Techniques • Basic Authentication • Digest Authentication • Form Authentication

  19. Basic Authentication

  20. Basic Authentication Username : Password Base64 QWxhZGRpbjpvcGVuIHNlc2FtZQ==

  21. Basic Authentication • No encryption • Username / Password ‘encoded’ • Depends on a secure communication channel

  22. Digest Authentication

  23. Digest Authentication Username realm Password MD5 =HA1 348RU349URFJ934FH3FH9… GET /Protected/secrets.html Method URI MD5 =HA2 4I0R9I34F034403RI4I…

  24. Digest Authentication HA1 nonce HA2 MD5 =response R3984UR34R43RU…

  25. Digest Authentication • Advantages • Communication is more secure • Some doubts over irreversibility of MD5 • Server nonce can avoid replay attacks • Disadvantages • Server password file is contains usable credentials in plaintext • Vulnerable to a man-in-the-middle (MitM) attack

  26. Digest Authentication Request + Digest Request 401 Unauthorized + nonce Response User Server

  27. Digest Authentication Request Request 401 Unauthorized + basic auth 401 Unauthorized + nonce Attacker User Server

  28. Digest Authentication Request + Digest Request + basic Response Response Attacker User Server

  29. Form Authentication

  30. Form Authentication • Advantages • Simple to develop • Richer User Interface • Can use multifactor authentication • Disadvantages • Depends on a secure communication channel (usually)

  31. Other Authentication Methods • Single Sign-on • OpenID, Shibboleth, … • Integrated Windows Authentication • Token-based • One Time Passwords (OTP) • SecureID, YubiKey • Public key authentication (SSL client certificates).

  32. Authorisation

  33. Authorisation • An Authorisation system should: • Allow access to resources to users/systems that are permitted to access them. • Prevent access to those that are not permitted.

  34. Authorisation • System requirements: • Who (entity) • What (resource) • Which operation (read / update / delete / …) • Access Policy

  35. Role Based Access Control • Roles are identified • e.g. administrator, group leader, developer. • Rights are assigned to roles • group leader can access homepage • Roles are assigned to entities • Derek is a group leader

  36. AIS Roles

  37. Role Based Access Control • Less complex than individual assignment of access rights • Roles can link to organization roles • Automatic maintenance • Less administration

  38. Authorisation: Good Practices • Check every access • Centralise rights management • Principal of Least Privilege

  39. Session Management

  40. Session Management • Why do we need it? • HTTP is state-less

  41. Session Management Credentials Session ID: 42 User Server Derek 42 Frank 43 Jim 44 Alex 45 Jane 46 Billy 47 Lilly 48 Session Memory

  42. Session Management • Good Practices • Keep Session ID secret! • Use encrypted communications. • Make them unpredictable • Based on a random sequence • Never re-used • Time limited • Use a standard framework

  43. Types of Attack

  44. Types of Attack • Session • Session Fixation / Session ID Forgery • Cross-Site Scripting • Cross-Site Request Forgery • Injection • SQL Injection • Command Injection • Google Hacks

  45. Session ID Forgery • URL Manipulation • POST parameter Manipulation

  46. Citibank Citibank customers lost $2.7 million in recent attack June 2011

  47. PayPal 23-year-old hacker accessed 200,000 PayPal accounts April 2012

  48. Cross-Site Scripting XSS

  49. Cross-Site Scripting • The most common publicly-reported security vulnerability • Up to 68% of websites could be vulnerable

  50. Cross-Site Scripting (Persistent) request <script>…</script> response +malicious script Attacker Server User

More Related