Transcript Application Security… What’s that?

APPLICATION SECURITY…
WHAT’S THAT?
AN INTRODUCTION TO APPLICATION SECURITY
LEVEL 101
WHAT IS APPSEC (APPLICATION SECURITY)?
Application security encompasses measures taken throughout the application's
life-cycle to prevent exceptions in the security policy of an application or the
underlying system through flaws in the design, development, deployment,
upgrade, or maintenance of the application.
*wikipedia
WHAT IS APPSEC?
• Wait, what does “application” mean?
• AppSec and My InfoSec program
• Application security is only one part of a complete information security program
• Successful InfoSec programs have “buy-in” from all levels of the organization
• Application security has a higher importance within an InfoSec program due to exposure
•
This requires a focus on “real world” testing
• Pen Testing
WHAT IS APPSEC?
•
What is a penetration test?
•
A penetration test, occasionally pentest, is a method of evaluating the security of a computer
system or network by simulating an attack from malicious outsiders (who do not have an
authorized means of accessing the organization's systems) and malicious insiders (who have
some level of authorized access). The process involves an active analysis of the system for any
potential vulnerabilities that could result from poor or improper system configuration, both
known and unknown hardware or software flaws, or operational weaknesses in process or
technical countermeasures. This analysis is carried out from the position of a potential attacker
and can involve active exploitation of security vulnerabilities.
wikipedia
WHAT IS APPSEC?
• Penetration tests are valuable for several reasons:
• Determining the feasibility of a particular set of attack vectors
• Identifying higher-risk vulnerabilities that result from a combination of lower-risk
vulnerabilities exploited in a particular sequence
• Identifying vulnerabilities that may be difficult or impossible to detect with automated
network or application vulnerability scanning software
WHAT IS APPSEC?
• Penetration tests are valuable for several reasons:
• Assessing the magnitude of potential business and operational impacts of successful
attacks
• Testing the ability of network defenders to successfully detect and respond to the attacks
• Providing evidence to support increased investments in security personnel and technology
WHAT IS APPSEC?
• Testing Types
• White Box Testing
•
In penetration testing, white-box testing refers to a methodology where an ethical hacker has
full knowledge of the system being attacked. The goal of a white-box penetration test is to
simulate a malicious insider who has some knowledge and possibly basic credentials to the
target system.
• Black Box Testing
•
In penetration testing, black-box testing refers to a methodology where an ethical hacker has
no knowledge of the system being attacked. The goal of a black-box penetration test is to
simulate an external hacking or cyber warfare attack.
WHAT IS APPSEC?
The applications are the most easily exploitable conduit to the data
CSRF
• Network security defects
15%
• Secured By Firewalls and
Malware
IDS’s
Source Disclosure
15%
SQL INJECTION
• Secured By Access Controls,
Session Hijacking
Firewalls, IDS’s, Patch
Management.
Unauthorized access
Cross Site Scripting
Code injection
Networks
• Server security defects
Servers
70%
• Application and Web
Services security defects
• Ref: OWASP Top 10
WHAT IS APPSEC?
• Who are my enemies?
•
•
•
•
Hackers
Insider Attacks
Script Kiddies
Hacktivists
WHAT IS APPSEC?
• Hackers
• White Hat
•
A "white hat hacker" (also known as an ethical hacker) breaks security for non-malicious
reasons, perhaps to test their own security system or while working for a security company
which makes security software.
• Black Hat
•
A "black hat hacker" (also known as a cracker) is a hacker who violates computer security with
malicious intent or for personal gain" (Moore, 2005).
WHAT IS APPSEC?
• Insider Threats
• Disgruntled Employees
• Corporate Espionage
• Internal threats include any harmful actions with data that violate at least one of the
fundamental principles of information security (integrity, availability, and confidentiality)
and originate from within a company’s information system.
WHAT IS APPSEC?
• Script Kiddies
• A "script kiddie" (aka skiddie) is a person who breaks into computer systems using
automated tools with no understanding or care of how they work.
• Hactivist
• A hacktivist is a hacker regardless of classification who utilizes technology to announce a
social, ideological, religious, or political message.
WHAT IS APPSEC?
• Key Terms
• Vulnerability
•
Weakness in an information system, system security procedures, internal controls, or
implementation that could be exploited or triggered by a threat source.
WHAT IS APPSEC?
• Key Terms
• Threat
•
Any circumstance or event with the potential to adversely impact organizational operations
(including mission, functions, image, or reputation), organizational assets, individuals, other
organizations, or the Nation through an information system via unauthorized access,
destruction, disclosure, modification of information, and/or denial of service.
WHAT IS APPSEC?
• Key Terms
• Risk
•
The level of impact on organizational operations (including mission, functions, image, or
reputation), organizational assets, or individuals resulting from the operation of an information
system given the potential impact of a threat and the likelihood of that threat occurring.
WHAT IS APPSEC?
• Key Terms
• APT
•
An advanced persistent threat (APT) is a network attack in which an unauthorized person gains
access to a network and stays there undetected for a long period of time. The intention of an
APT attack is to steal data rather than to cause damage to the network or organization. APT
attacks target organizations in sectors with high-value information, such as national defense,
manufacturing and the financial industry.
WHAT IS APPSEC?
• What are the most likely threats facing my AppSec Program?
•
•
•
•
•
•
•
Cross-Site Scripting (XSS)
SQL Injection (SQLi)
Weak Authentication
Secure Session Vulnerabilities
Secure Transmission Vulnerabilities
Privilege Escalation
Information Leakage and Improper Error Handling
WHAT IS APPSEC?
• Cross-Site Scripting (XSS)
• Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are
injected into the otherwise benign and trusted web sites.
• Persistent VS. Reflected
WHAT IS APPSEC?
• SQL Injection
• A SQL injection attack consists of insertion or "injection" of a SQL query via the input
data from the client to the application.
• A successful SQL injection exploit can read sensitive data from the database, modify
database data (Insert/Update/Delete), execute administration operations on the
database (such as shutdown the DBMS), recover the content of a given file present on the
DBMS file system and in some cases issue commands to the operating system.
WHAT IS APPSEC?
• Weak Authentication Vulnerabilities
•
•
•
•
Weak Passwords
User Enumeration
Lack of Account Lockout
Password Reset Vulnerabilities
WHAT IS APPSEC?
• Secure Session Vulnerabilities
• Session Poisoning
•
A method to exploit insufficient input validation within a server application
• Session Fixation
•
An attack that permits an attacker to hijack a valid user session
• Persistent Cookies
•
•
Remain on your hard drive until you erase them or they expire
Stored with your browser when you click the "remember me" button on the login form
WHAT IS APPSEC?
• Insecure Communication
• Login Forms without SSL Encryption
• Old or Out Dated Algorithm use
• Backend host communication
• Failure to encrypt sensitive communications means that an attacker who can sniff traffic
from the network will be able to access the conversation, including any credentials or
sensitive information transmitted
WHAT IS APPSEC?
• Privilege Escalation
• Occurs when a user gets access to more resources or functionality than they are normally
allowed, and such elevation/changes should have been prevented by the application
WHAT IS APPSEC?
•
Information Leakage and Improper Error Handling
•
Applications can unintentionally leak information about their configuration, internal workings,
or violate privacy through a variety of application problems
•
Applications can also leak internal state via how long they take to process certain operations
or via different responses to differing inputs, such as displaying the same error text with
different error numbers
•
Web applications will often leak information about their internal state through detailed or
debug error messages
He then contact’s Wendy by
phone…
“Sure Johnny, Let me just
“Hello, I would like to
log in and take a look at
review myThe
grades
your “record”…
attack executes in Wendy’s browser
Johnny
substitutes
his
sessionid
with
that
please…”without notice. Johnny has captured her of
Wendy and assumes the identity of Wendy
sessionid.
within the application.
THE STORY OF JOHNNY…
sessionid
Counselor Wendy
Johnny
Johnny plants an attack (within his record)
to hijack Wendy’s sessionid
Username / password
sessionid
WHAT HAPPENED TO THE FIREWALL???
Hackers
Worms &
Viruses
Malicious Insiders
FUNDAMENTALLY FLAWED PERCEPTION
Fails to protect the most
Outsourcing
critical component - the
Applications
Legacy Application
Integration
Web-facing
Applications
Employee
Self-Service
Today, even the code
itself is sometimes
“outside the firewall!”
Connectivity with
Partners, Suppliers
http/https
WHAT THE USER SEES…
WHAT A HACKER SEES…
Eavesdropping
Password Guessing
SQL Injection
Account Enumeration
Cross-Site Scripting
Information Gathering
Social Engineering
HOW DOES THIS HAPPEN?
In a perfect world…
Actual
Functionality
Intended
Functionality
In The Real World…
Actual
Functionality
Intended
Functionality
?
?
Working
Features
Security
Defects
Functional
Defects
Secure The Application
Exception Management
Cryptography
Input Validation
Authorization
Configuration Management
Protect Sensitive Data
Session Management
Authentication
Parameter Manipulation
Auditing and Logging
Web Server
Firewall
Apps
Firewall
Host
Network
Security
Router
Firewall
Switch
Patches
Updates
Services
Protocols
Application Server
Database Server
Apps
Database
Host
Host
Secure The Host
Accounts
Ports
Files
Registry
Directories
Auditing
Shares
Logging
Threats and Countermeasures