How to Build a Trusted Application John Dickson, CISSP

Transcription

How to Build a Trusted
Application
John Dickson, CISSP
Overview
What is Application Security?
Examples of Potential Vulnerabilities
Strategies to Build Secure Apps
Questions and Answers

Denim Group, Ltd. Background

Enterprise application development
company with security expertise
Large-scale web application development
projects
Application-level integration
Application security assessments and secure
application development

What is Application Security?
Security associated with custom
application code
Focus is on web application security

Versus

non-Internet facing applications
Protection of online customer data given
recent privacy lapses
Software Implementation – Perfect World
Actual
Functionality
Intended
Functionality
Software Implementation – Real World
Actual
Functionality
Intended
Functionality
Built
Features
Unintended
And Undocumented
Functionality
Bugs
Nature of HTTP and the Web

Hyper-Text Transport Protocol (HTTP) is a light-weight
application-level protocol with the speed that is
necessary for distributed, collaborative information
systems.
HTTP is a state-less, connection-less transmission
protocol
Ports 80 & 443 (HTTP & HTTPS)
Assumption: web servers expect request to come from
browser - implicitly trust input
Why Application Security?

More business-critical apps and customer data
online
Attacker community focusing on port 80/443
Complexities involved with interaction between
server, 3rd party code, and custom business
logic
10% of FBI/CSI Study respondents reported
misuse of public web applications
Compliance pressures (SOX, GLB, HIPAA)
Why Application Security?
Rapid dev cycle creates control
weaknesses
Much investment focused on infrastructure

Well
understood threats, mature products
Firewalls, authentication, intrusion detection

Security many times an overlooked facet
of web development projects
Additional Challenges
• Most organizations do not have sufficiently
skilled resources to cope with application
security assessments
• Development teams typically under
deadlines
I love deadlines. I especially love the whooshing sound they make as they
fly by.
--Douglas Adams, Author, Hitchhiker's Guide to the Galaxy.
Examples of Potential Vulnerabilities
Parameter Tampering
Price information is stored in hidden HTML
field with assigned $ value
Assumption: hidden field won’t be edited
Attacker edits $ value of product in HTML
Attacker submits altered web page with
new “price”
Still widespread in many web stores

Price Changes via Hidden HTML
tags
Price Changes via Hidden HTML
tags
Cookie Poisoning

Attacker impersonates another user
Identifies
cookie values that ID’s the customer
to the site

Attacker notices patterns in cookie values
Edits
pattern to mimic another user
Cookie Poisoning
Cookie Poisoning
Cookie Poisoning
Cookie Poisoning
Unvalidated Input Attack
Exploitation of implied trust relations
Instead of:

[email protected]
Attacker inputs:
//////////////////////////////////////////////////

Exploits lack of boundary checkers on back-end
application
Potential Strategies to Build Secure Apps
Potential Strategies to Build Secure
Apps
OWASP resources
Attack modeling
Bridge Cultural gap
Assess SDLC
Application Security Assessments

Open Web Application Security
Project Top Ten List
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Unvalidated Input
Broken Access Control
Broken Authentication and Session Management
Cross-Site Scripting Flaws
Buffer Overflows
Injection Flaws
Improper Error Handling
Insecure Storage
Denial of Service
Insecure Configuration Management
*Source www.owasp.org
OWASP Testing

Background of OWASP testing
No existing standards prior to OWASP
Threat groups – not specific threats
High level concepts
Industry group designed to develop common
app pen test language

Bridge Cultural Gap Between
Security and Developers
Key Challenge: Build vs. Measure
Cultures
Application Development groups are
building technical capabilities based upon
evolving business requirements
Corporate IS Security dept. in charge of
ongoing security operations

Include Security in SDLC

Security must become a key aspect of the
development process
Security

requirements reflected in design plan
Ensure the security is part of the iterative
development process
Changes
to web sites are ongoing and are not
static
QA Group should not be last line of defense
Attack Modeling

Provides deeper understanding of risk
areas
Distributed software can be attacked at
many points
Helps developers think differently
Want to create software that is secure
“enough”
Attack Modeling

ID assets
Create an architecture overview
Understand application w/ use cases and
other modeling tools
ID potential threats
Enumerate each threat
Rank order threats for trade-off analysis
Code Evaluation Paths

Code review – auditing source code
Expensive,
time consuming, and takes
expertise

Application assessments – reviews
functionality and interactions of compiled
applications in real-life environments
Potentially
superficial and only capture a % of
actual vulnerabilities in custom code
Application Security Reviews

Internal or 3rd party process to assess internally
developed applications
Assessment reviews major web app
vulnerabilities
Use best-of-breed tools and custom scripts
Integrated with client development schedule

Reviews designed to coincide with key development
milestones of client project
Application Security Reviews

Commercial security scanners are becoming
more widespread
Automated tools are great first-round way to
assess potential vulnerabilities
However, in-depth assessments use custom
scripts and code reviews (sometimes)
Analogy

of network scanners
Consider Augmenting security team with internal
or external .Net and Java security experts
Assessment Benefits
3rd-party assessment of applications by
noted experts; Increase confidence &
reliability in application
Compliance with government regulations

Sarbanes
Oxley, GLB, HIPAA
Satisfies potential SEC audit objectives

Knowledge transfer to clients on
development techniques for secure
applications
Wrap up
Application Security is emerging as a
critical aspect of enterprise security
Emerging best practices include iterative
assessments and defense in depth
Cultural, organizational, and technical
challenges all may hinder an effective
strategy

Questions and Answers?
John Dickson, CISSP
[email protected]
(210) 572-4400