Post on 06-May-2015
description
transcript
Secure Development: Automatic Identification and Mitigation of Application Vulnerabilities
JIM LIU
CHIEF GEEK, LUCENT SKY
• What’re application vulnerabilities and why they’re bad
• How to identify vulnerabilities
• How to mitigate vulnerabilities + shameless self plug
What’re application vulnerabilities
• Application vulnerabilities are bugs in source code that allow hackers to bypass security features such as authentication or firewall
Application Security Feels Like an Uphill Battle
of web applications vulnerable to data theft
average vulnerabilitiesper application
70%
480
They’re expensive problems, and also are expensive to fix
What’s wrong with this code?
<% String eid = request.getParameter("eid"); %>
Employee ID: <%= eid %>
What about this one?
String userName = ctx.getAuthenticatedUserName();
String itemName = request.getParameter("itemName");
String query = "SELECT * FROM items WHERE owner = '"
+ userName + "' AND itemname = '"
+ itemName + "'";
List items = sess.createSQLQuery(query).list();
The most common vulnerabilities: cross-site scripting
• Allow the execution of arbitrary JavaScript on website visitors browsers
• Almost every popular website has been hit with XSS in the past
http://youtu.be/LhbUTEccdPs
The most common vulnerabilities: SQL injection
• Allow the execution of arbitrary SQL queries and system commands on the database server
• Over 80% of e-commerce sites in Taiwan currentlyhave SQL injections
http://youtu.be/f5qSs85eGVI
• What’re application vulnerabilities and why they’re bad
• How to identify vulnerabilities
• How to mitigate vulnerabilities + shameless self plug
Beer time!
• What did you do to identify vulnerabilities in your applications?
• What steps were taken to prevent vulnerable applications from being published?
Three different kinds of static code analysis tools
Dynamic or static testing?
SAST is accurate, but what does it really do?
• What’re application vulnerabilities and why they’re bad
• How to identify vulnerabilities
• How to mitigate vulnerabilities + shameless self plug
What do you do with vulnerabilities?
<% String eid = request.getParameter("eid"); %>
Employee ID: <%= eid %>
What do you do with vulnerabilities?
<% String eid = request.getParameter("eid"); %>
Employee ID: <%= ESAPI.encoder().encodeForHTMLAttribute(eid) %>
What about this one?
String userName = ctx.getAuthenticatedUserName();
String itemName = request.getParameter("itemName");
String query = "SELECT * FROM items WHERE owner = '"
+ userName + "' AND itemname = '"
+ itemName + "'";
List items = sess.createSQLQuery(query).list();
What about this one?
String userName = ctx.getAuthenticatedUserName();
String itemName = request.getParameter("itemName");
String query = "SELECT * FROM items WHERE owner = '"
+ userName + "' AND itemname = '"
+ ESAPI.encoder().encodeForSQL(itemName)
+ "'";
List items = sess.createSQLQuery(query).list();
AVM: it’s like autocorrect for your code
It’ll work Eclipse/NetBeans soon… :x