ISSA Spring Security Summit 2009

bugenigmaΛογισμικό & κατασκευή λογ/κού

30 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

87 εμφανίσεις

ISSA Spring Security Summit 2009

Mike Parsons, CISSP, IAM, IEM


Why web application security


The value proposition


Who sets the standard


W3C


IETF


OWASP


WASC


PCI


Remediation strategies


Some common threats and exploits



Cenzic
, Inc. reports in its Web Application
Security Trends Report, Q3
-
Q4 2008 that
total vulnerabilities up over 10 percent from
the first half (of 2008)
--

number of Web
application vulnerabilities went up 80
percent.


At least 80 percent of applications tested suffering
from severe vulnerabilities.


Most common vulnerabilities related to Information
Leaks and Exposures, Cross
-
Site Scripting, and
Session Management.

However, the economic crisis is holding a number of
organizations back from moving forward with this
initiative. What’s surprising is that most of these
companies are still spending money on network
security. With 80 percent to 90 percent of Web
applications vulnerable, and with 75 percent of
attacks occurring through the Web sites, this
budget allocation defies logic. But, lack of
awareness and understanding of the issues around
application security are partly to blame.















Cenzic
, Inc.


Universal client


pda’s
,
netbooks
, laptops,
all OSs


Graphical user interface


XML and its extended family provides
common protocol stack from UI to
backoffice





presentation,


business logic,


schema


Reduced development time


Provides systems integration fabric



Web applications on the rise


External facing web sites are the new
company storefronts


Intrinsic impacts


Branding


Customer experience


Securing the data entrusted by partners, customers
and employees


Cost impacts


Fines


Legal liability


Loss of business


ECommerce


Employee and partner portals


Federation


ERP applications


Unique branding and intellectual
property issues


Cloud computing


Software as a Service


Hardware as a service




Retail


PCI, State privacy laws


Medical


HIPAA, PCI, State privacy laws


Banking

GLBA, PCI, State privacy laws


Education


FERPA, PCI, State privacy
laws


W3C


IETF


OWASP


WASC


NIST


PCI



Purpose of the web


find useful
information


Evolution to ecommerce and
eGovernment


Standards for SGML, HTML, XML


XML Signatures and Encryption


Platform for Privacy Preferences


Quality assurance through development
of
validators



Related organizations


ISOC


Internet Society


IAB (Architectural Oversight),


IESG (Steering Group),


IETF (Standards and Practices),


IANA (Protocol parameters and addressing)


Sample standards and practices


TCP


UDP


HTTP


Cryptography


Open Web Application Security Project


Organization established to develop and
distribute information related to
application security


OWASP top 10


Recognized in PCI DSS 1.2, Control 6.6


Tools like
WebGoat

and Scarab


There is a chapter in North Carolina


Develop open source and widely agreed
upon best
-
practice security standards for
the World Wide Web.


Projects


Web Application Security Scanner Evaluation
criteria


Web Hacking Incidents Database


Distributed Open Proxy
Honeypots


Web Security Threat Classification


Web Application Firewall Evaluation Criteria


Web Application Security Statistics


Computer Security Division provides
standards and technology to protect
information systems against threats to the
confidentiality, integrity, and availability of
information, processes and services in
order to build trust and confidence in (IT)
systems.


Standards and guidelines of interest include


encryption,


web application scanners,


hashing algorithms,


digital signatures



Data Security Standard requirement 6.6
addresses Web Application Security
specifically


References OWASP Top 10


Requires either


Web application firewall


Code review of all application code by qualified
reviewer


Clarification issued in May that includes
WAF evaluation criteria


Vulnerability

Description

A1
-

Cross Site Scripting (XSS)


XSS
allows attackers to execute script in the victim's
browser which can hijack user sessions, deface web
sites, possibly introduce worms, etc.

A2
-

Injection Flaws


The
attacker's hostile data tricks the interpreter into
executing unintended commands or changing data.

A3
-

Malicious File Execution


Malicious
file execution attacks affect PHP, XML and any
framework which accepts filenames or files from users
.

A4
-

Insecure Direct Object
Reference


Attackers
can manipulate
direct object
references to
access other objects without authorization.

A5
-

Cross Site Request Forgery
(CSRF)


Forces
a logged
-
on victim's browser to send a pre
-
authenticated request to a vulnerable web application,
which then forces the victim's browser to perform a
hostile action to the benefit of the attacker.

Vulnerability

Description

A6
-

Information Leakage and
Improper Error Handling


Applications
unintentionally
leak information about
their configuration, internal workings, or violate privacy
through a variety of application problems.

A7
-

Broken Authentication and
Session Management


Attackers
compromise passwords, keys, or
authentication tokens to assume other users' identities.

A8
-

Insecure Cryptographic Storage


Web applications rarely use cryptographic functions
properly to protect data and credentials.

A9
-

Insecure Communications


Applications frequently fail to encrypt network traffic
when it is necessary to protect sensitive
communications.

A10
-

Failure to Restrict URL Access


Frequently, an application only protects sensitive
functionality by preventing the display of links or URLs
to unauthorized users.


Educate your developers, systems
engineers and business units


Know your infrastructure; reduce the
exposure window


Have third party assess your security and
application integrity


Evaluate tools and strategies


Code assessment


Web application firewalls


PCI DSS Requirements

Testing Procedure

6.6 For public
-
facing web

applications, address new threats and

vulnerabilities on an ongoing basis and

ensure these applications are protected

against known attacks by
either of the

following methods:

􀂃

Reviewing public
-
facing web

applications via manual or

automated application vulnerability

security assessment tools or

methods, at least annually and

after any changes

􀂃

I湳talli湧 a w敢
-
appli捡ti潮 fir敷all

i渠fr潮t 潦 public
-
fa捩湧 w敢

appli捡ti潮s


6.6 For
public
-
facing web applications,
ensure that
either one of the following
methods are in place as follows:

􀂃

Verify that public
-
facing web
applications are reviewed (using either
manual or automated vulnerability
security assessment tools or methods),

as follows:

-

At least annually

-

After any changes

-

By an organization that specializes in
application security

-

That all vulnerabilities are corrected

-

That the application is re
-
evaluated after
the corrections

􀂃

s敲ify t桡t a w敢
-
applicati潮o fir敷all is
i渠plac攠i渠fr潮o 潦 public
-
faci湧 w敢
applicati潮o t漠d整散e a湤 prev敮e w敢
-
bas敤 attac歳.


Qualified organizations that specialize in
application security are difficult to find
and process is expensive


3
rd

party development or COTS poses
problems


Access to source code and developers the issue


Can be used for in
-
house development


Expertise in secure coding practice


Review takes place outside of development


Can you review all code changes



WhiteHat

Sentinel,


AppScan

OnDemand

Comprehensive


Cenzic

Click to Secure services


Trustwave Managed Security Services


Qualys

more generic, but has web
services component


Accunetix

WVS


IBM Rational
Appscan


HP
Webinspect

(Formerly
Spi

Dynamics)


Cenzic

Hailstorm


N
-
Stalker (has free edition)


NCircle

WebApp

360



No Magic Quadrant. Gartner has issued various
notes on the subject


Consider WAFEC criteria to evaluate


Consider DSS criteria to evaluate


Enterprise architecture is a governing factor


In
-
line
vs

out
-
of
-
line


Javascript

vs

XML
vs

Ajax
vs

Web Services 2.0


Webserver

strategy


Look for additional value such as positive
security model and application integrity
remediation


Look for management interface, flexibility in
blocking traffic, scalability


WAFEC addresses the following areas in Version 1.0 (2006)


Deployment Architecture


HTTP Support


Detection Techniques


Protection Techniques


Logging


Reporting


Management


Performance


XML


Future releases to address following areas


Compliance, certifications, and interoperability.


Increase coverage of performance issues (especially on the network
level).


Increase coverage of the XML
-
related functionality.



Meet all applicable PCI DSS requirements pertaining to system components


React appropriately (defined by active policy or rules) to threats against relevant
vulnerabilities as identified, at a minimum, in the OWASP Top Ten and/or PCI DSS
Requirement 6.5.


Based on the active policy or rules, and log actions taken.


Inspect web application input and respond appropriately (allow, block, and/or alert)


Prevent data leakage

meaning have the ability to inspect web application output and
respond appropriately(allow, block, mask and/or alert)


Enforce both positive and negative security models.


Inspect both web page content, e.g. Hypertext Markup Language (HTML), Dynamic
HTML (DHTML), and Cascading Style Sheets (CSS), and the underlying transport
protocols that deliver content, e.g. Hypertext Transport Protocol (HTTP) and
Hypertext Transport Protocol over SSL (HTTPS).


Inspect web services messages, if web services are exposed to the public Internet.
E.g. Simple Object Access Protocol (SOAP) and
eXtensible

Markup Language
(XML), both document
-

and RPC
-
oriented models, in addition to HTTP.


Inspect any protocol or data construct that is used to transmit data to or from a web
application,


Defend against threats that target the WAF itself.


Support SSL and/or TLS termination, or be positioned such that encrypted
transmissions are decrypted before being inspected by the WAF.


Barracuda Application Gateway


Breach Security


WebDefend


ModSecurity


Citrix
Netscaler

Application Security Firewall


F5 Application Security Manager


Fortinet Web Application /XML Firewall
Appliance


FortiWeb


FortiDB


Imperva
SecureSphere


Web Application Firewall


Database Firewall



WASC Statistics


SecurityFocus


Mitre

Corporation


CERT


W3C


WebGoat

Demo Environment


Managed Service Providers e.g.
Trustwave,
Cenzic



Stakeholder

Website

WASC

http://www.webappsec.org/

OWASP

http://www.owasp.org

IETF

http://www.ietf.org

W3C

http://www.w3c.org

NIST

http://csrc.nist.gov/mission/index.html

PCI

https://www.pcisecuritystandards.org/

Thank you for your attention


Mike Parsons

Security Consultant

Carolina Advanced Digital

336
-
403
-
9710

mike@cadinc.com