How to Build a Trusted Application John Dickson, CISSP

How to Build a Trusted
Application
John Dickson, CISSP
Overview
What is Application Security?
„ Examples of Potential Vulnerabilities
„ Strategies to Build Secure Apps
„ Questions and Answers
„
Denim Group, Ltd. Background
„
Enterprise application development
company with security expertise
Large-scale web application development
projects
… Application-level integration
… Application security assessments and secure
application development
…
What is Application Security?
Security associated with custom
application code
„ Focus is on web application security
„
… Versus
„
non-Internet facing applications
Protection of online customer data given
recent privacy lapses
Software Implementation – Perfect World
Actual
Functionality
Intended
Functionality
Software Implementation – Real World
Actual
Functionality
Intended
Functionality
Built
Features
Unintended
And Undocumented
Functionality
Bugs
Nature of HTTP and the Web
„
„
„
„
Hyper-Text Transport Protocol (HTTP) is a light-weight
application-level protocol with the speed that is
necessary for distributed, collaborative information
systems.
HTTP is a state-less, connection-less transmission
protocol
Ports 80 & 443 (HTTP & HTTPS)
Assumption: web servers expect request to come from
browser - implicitly trust input
Why Application Security?
„
„
„
„
„
More business-critical apps and customer data
online
Attacker community focusing on port 80/443
Complexities involved with interaction between
server, 3rd party code, and custom business
logic
10% of FBI/CSI Study respondents reported
misuse of public web applications
Compliance pressures (SOX, GLB, HIPAA)
Why Application Security?
Rapid dev cycle creates control
weaknesses
„ Much investment focused on infrastructure
„
… Well
understood threats, mature products
… Firewalls, authentication, intrusion detection
„
Security many times an overlooked facet
of web development projects
Additional Challenges
• Most organizations do not have sufficiently
skilled resources to cope with application
security assessments
• Development teams typically under
deadlines
I love deadlines. I especially love the whooshing sound they make as they
fly by.
--Douglas Adams, Author, Hitchhiker's Guide to the Galaxy.
Examples of Potential Vulnerabilities
Parameter Tampering
Price information is stored in hidden HTML
field with assigned $ value
„ Assumption: hidden field won’t be edited
„ Attacker edits $ value of product in HTML
„ Attacker submits altered web page with
new “price”
„ Still widespread in many web stores
„
Price Changes via Hidden HTML
tags
Price Changes via Hidden HTML
tags
Cookie Poisoning
„
Attacker impersonates another user
… Identifies
cookie values that ID’s the customer
to the site
„
Attacker notices patterns in cookie values
… Edits
pattern to mimic another user
Cookie Poisoning
Cookie Poisoning
Cookie Poisoning
Cookie Poisoning
Unvalidated Input Attack
Exploitation of implied trust relations
„ Instead of:
„
…
„
john@doe.com
Attacker inputs:
… //////////////////////////////////////////////////
„
Exploits lack of boundary checkers on back-end
application
Unvalidated Input Attack
Unvalidated Input Attack
Unvalidated Input Attack
Unvalidated Input Attack
Potential Strategies to Build Secure Apps
Potential Strategies to Build Secure
Apps
OWASP resources
„ Attack modeling
„ Bridge Cultural gap
„ Assess SDLC
„ Application Security Assessments
„
Open Web Application Security
Project Top Ten List
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Unvalidated Input
Broken Access Control
Broken Authentication and Session Management
Cross-Site Scripting Flaws
Buffer Overflows
Injection Flaws
Improper Error Handling
Insecure Storage
Denial of Service
Insecure Configuration Management
*Source www.owasp.org
OWASP Testing
„
Background of OWASP testing
No existing standards prior to OWASP
… Threat groups – not specific threats
… High level concepts
… Industry group designed to develop common
app pen test language
…
Bridge Cultural Gap Between
Security and Developers
Key Challenge: Build vs. Measure
Cultures
„ Application Development groups are
building technical capabilities based upon
evolving business requirements
„ Corporate IS Security dept. in charge of
ongoing security operations
„
Include Security in SDLC
„
Security must become a key aspect of the
development process
… Security
„
requirements reflected in design plan
Ensure the security is part of the iterative
development process
… Changes
to web sites are ongoing and are not
static
… QA Group should not be last line of defense
Attack Modeling
„
„
„
„
Provides deeper understanding of risk
areas
Distributed software can be attacked at
many points
Helps developers think differently
Want to create software that is secure
“enough”
Attack Modeling
„
„
„
„
„
„
ID assets
Create an architecture overview
Understand application w/ use cases and
other modeling tools
ID potential threats
Enumerate each threat
Rank order threats for trade-off analysis
Code Evaluation Paths
„
Code review – auditing source code
… Expensive,
time consuming, and takes
expertise
„
Application assessments – reviews
functionality and interactions of compiled
applications in real-life environments
… Potentially
superficial and only capture a % of
actual vulnerabilities in custom code
Application Security Reviews
„
„
„
„
Internal or 3rd party process to assess internally
developed applications
Assessment reviews major web app
vulnerabilities
Use best-of-breed tools and custom scripts
Integrated with client development schedule
„
Reviews designed to coincide with key development
milestones of client project
Application Security Reviews
„
„
„
Commercial security scanners are becoming
more widespread
Automated tools are great first-round way to
assess potential vulnerabilities
However, in-depth assessments use custom
scripts and code reviews (sometimes)
… Analogy
„
of network scanners
Consider Augmenting security team with internal
or external .Net and Java security experts
Assessment Benefits
3rd-party assessment of applications by
noted experts; Increase confidence &
reliability in application
„ Compliance with government regulations
„
… Sarbanes
Oxley, GLB, HIPAA
… Satisfies potential SEC audit objectives
„
Knowledge transfer to clients on
development techniques for secure
applications
Wrap up
Application Security is emerging as a
critical aspect of enterprise security
„ Emerging best practices include iterative
assessments and defense in depth
„ Cultural, organizational, and technical
challenges all may hinder an effective
strategy
„
Questions and Answers?
John Dickson, CISSP
john@denimgroup.com
(210) 572-4400