Don't Blindly Trust Community-Supplied Software - UCLA ...

friendshomeopathInternet και Εφαρμογές Web

4 Δεκ 2013 (πριν από 3 χρόνια και 6 μήνες)

116 εμφανίσεις

IT SECURITY AT UCLA:

TOOLS AND RESOURCES AT YOUR
DISPOSAL

Information Security
Office

UCLA IT Services

Alex M.
Podobas

Topics



I. IT Security at UCLA : A Brief Overview



II. What is AppScan? (...and I care why, exactly?)


III. Using AppScan in the Software Development Life
Cycle


IV. Making the Case for: Using AppScan to Test
Third
-
Party


“Community
-
Supplied” Additions

I. UCLA IT Security Office

What’s Our Role In This?

I. IT Security at UCLA: An Overview


The IT Security Office operates from UCLA IT Services.


It is responsible for information security practices,
technology, and policies across non
-
medical units at
UCLA.



A big part of our strategy is making available not only
stellar, industry
-
standard testing tools but also in
promoting their use through public talks and pragmatic
education resources


So What, Though?

Web apps at UCLA do business in
two currencies: money and
information.

And very often, in both.

A central premise is that we at
UCLA

deal in information. Users must,
and

expect to, trust the many sources
of

information that the University
makes

available.

II. What is AppScan?

An overview

II. What is
AppScan
?


AppScan

is a vulnerability assessment tool


Provided by IBM and licensed by the IT Security
Office. We provide it for
free
to campus departments
and encourage its frequent use (we'll get to that in a
minute)


AppScan allows you to run it against websites, web
applications, and their backend features and
evaluate their existent security measures against
most known vulnerabilities.
II. What is AppScan?


Made Easy to Use


Accessed from the web browser. Absolutely nothing
to install, configure, or set up.


Easy
-
to
-
use
u
ser interface.


Excellent IBM training
r
eference guides.


Ability to assign custom
-
made security policies to
groups, and assign users to groups. This is a very
popular and well
-
used feature for campus web
devs
.

II. What is
AppScan
?


This is anything but an unsupported campus product.
We manage it, issue and manage accounts, and create
group policies.


IT Security is always willing to:


Provide customized, one
-
on
-
one, and group sessions
training for potential or current
AppScan

users.


Help interpret
AppScan

reports and provide
suggestions.

Fully managed by IT Security Office

Support, Training, and Vulnerability Mitigation Advice

II. What is AppScan?


Generated Reports


AppScan

auto
-
generates readable reports of all
potential security issues that were found in the last
performed scan.


The level of detail is great.


View vulnerability type by code line


Detailed vulnerability explanation


S
uggested mitigation measures



III. AppScan and the Web App SDLC

No

one

and

no

one’s

affiliated

group

or

department

wants

to

end

up

on

the

front

page

of

the

Daily

Bruin

or

the

L
.
A
.

Times
.



III. Making the Case:

AppScan in Web App Development and the
SDLC

(“Software Development Life Cycle”)

III. AppScan and the SDLC


Security itself can be an abstract concept and,
unfortunately, many who work in web regard it as an
afterthought.


In the context of information security, AppScan is not a
cure
-
all solution (for example, it won’t solve poor
framework design decisions), but it can certainly assist
identifying potential vulnerabilities

Key Advantages



AppScan detects:


Embedded malware


Cross
-
Site Request Forgery


Weak password requirements


Unsecured login forms


Session management errors


Input validation (HTML, injection,
SQL injection and XSS attacks)


Parameter manipulation (for
cookie and hidden field attacks)


Compliance reports for HIPAA, PCI, GLB

III. AppScan and the SDLC


Advantages


Use it as a tool to validate that your application is
functioning properly. Security is a major part of this
because insecure web apps don't serve their purpose
of being reliable sources of information.


Killing two birds with one stone: testing application
functionality in part by testing its security. For example, use
AppScan to see if a form with inputs that communicates
with a backend database is working properly. This tests an
application's logic integrity (more compelling for the
developer) and also gives real
-
time feedback.

AppScan’s
Advantages


III. AppScan and the SDLC


Advantages



When you make any change (be it to code, the
underlying database, or your backend hosting system),
you immediately invalidate the results of prior security
tests, including
AppScan

tests. Make it part of the SDLC
routine.


This is expensive in terms of time because taking the
time to run AppScan only once, when changes are then
made after, becomes a waste of time and yields invalid
results.




AppScan’s
Advantages


III. AppScan and the SDLC


Considerations



AppScan

is incredibly invasive. It can inject bad SQL
data and even cause
DoS

(Denial of Service).


It can cause dramatic performance reductions (including
lower read/write database speeds and script
processing).


Therefore, we
strongly

recommend testing your web
apps in a sandbox, outside of a production web server
environment.




AppScan
Considerations

IV. Making the Case:

AppScan and Third
-
Party, “Community Supplied”
Software

IV.
AppScan

and Third
-
Party Software



We live in a web where free
additions to platforms are readily
available, easy to obtain, and easy
to install.


Free plugins, add
-
ons and
enhancements are part of ever
-
growing marketplaces for products
like
WordPress
,
Joomla
,
Plone
, and
yum for RPM systems (Fedora,
CentOS
), among many others


IV. AppScan and Third
-
Party Software


Human

nature

has

a

tendency

to

trust,

especially

when

a

trusted

source

makes

available

software

under

its

name
.

In

each

of

these

examples

below,

the

name

lends

a

false

allure

of

credence

to

the

third
-
party

software
:



"WordPress Plugin"


"Joomla Extension"


"Plone Add
-
On"


"jQuery plugin"

IV. AppScan and Third
-
Party Software

Example

1
:

Joomla’s

Official

“Vulnerable

Extensions

List”


http://docs.joomla.org/Vulnerable_Extensions_List


A prolific list of approximately 164 Joomla
extensions with known exploits


These are largely comprised of XSS, file upload,
and SQL injection issues. The very vulnerabilities
that AppScan is so adept at catching.

IV. AppScan and Third
-
Party Software

Example

2
:

Secunia’s

WordPress

Vulnerability

Records

http://secunia.com/advisories/product/SOFT_W/#list


Secunia is a reputable European security firm,
based in Denmark. Like Sophos, it also maintains a
public
-
facing record of WordPress plugin
vulnerabilities.


These are largely comprised of XSS, file upload,
and SQL injection issues. The very vulnerabilities
that AppScan is so adept at catching.

IV. AppScan and Third
-
Party Software


A common assumption is that plugins obtained from a
source like
WordPress
,
Plone
, or
Joomla

are also safe.
This is a risky approach and increases the risk of your
web application becoming compromised.


You simply can never be sure that the third
-
party
software, or the unique combination of plugins you use
together, has been vetted for security. These are an
often overlooked attack vector.



Don’t Blindly Trust Community
-
Supplied
Software

Getting Aboard



Visit
itsecurity.ucla.edu
/
appscan


View a product summary, this presentation, and a contact
form. Fill that out to get started. We will handle issuing
you an account, creating group policies, set up a training
session, and whatever you need to get started with
AppScan
.

I want to use it! What do I do?

Last But Not Least…Let’s Follow Up

@
UCLAIT_Security


Security Alerts and Advisories

www.itsecurity.ucla.edu


Security listserv and many pragmatic
reference and educational resources

Follow and Keep Up With UCLA IT Security