Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 217 times |
Download: | 0 times |
Application Security: What Does it Take to Build and Test a “Trusted” App?
John Dickson, CISSP
Denim Group
Overview
What is Application Security? Examples of Potential Vulnerabilities Potential Strategies to Build Secure Apps Questions and Answers
Denim Group Background
Enterprise application development company with security expertise Custom software development Application-level integration Application security assessments and secure
application development
What is Application Security
Security associated with custom application code
Focus is on web application securityVersus non-Internet facing applications
Complements existing infrastructure security assets such as firewalls, IDS, and secured operating systems
Nature of HTTP and the Web
Connectionless protocol – no state Anonymity of attacks Assumption: web servers expect request
to come from browser, therefore implicitly trust input
Why Application Security
70% of applications reviewed by security firm had significant security design flaws
@Stake Security Briefing
Interaction between server, 3rd party code, and custom business logic creates vulnerabilities
Patching or rebuilding app expensive Perception exists that locking down OS and web
server = web security
Why Application Security
Web-facing, business critical applicationsHTTP & SLL open to the world
Much investment focused on infrastructureWell understood threats, mature productsFirewalls, authentication, intrusion detection
Security many times an overlooked facet of web development projects
Parameter Tampering
Price information is stored in hidden HTML field with assigned $ value
Assumption: hidden field won’t be edited Attacker edits $ value of product in HTML Attacker submits altered web page with
new “price” Still widespread in many web stores
Cookie Poisoning
Attacker impersonates another user Identifies cookie values that ID’s the customer
to the site Attacker notices patterns in cookie values
Edits pattern to mimic another user
Unvalidated Input Attack
Exploitation of implied trust relations Instead of:
[email protected] Attacker inputs:
////////////////////////////////////////////////// Exploits lack of boundary checkers on back-end
application
Open Web Application Security Project
Top Ten Most Critical Web Application Security Vulnerabilities
1. Unvalidated Input2. Broken Access Control3. Broken Authentication and Access Control4. Cross-Site Scripting Flaws5. Buffer Overflows6. Injection Flaws7. Improper Error Handling8. Insecure Storage9. Denial of Service10. Insecure Configuration Management
Source: www.owasp.org
Client–side authentication
Web apps many times use client-side code to present and manage data
Storage of usernames or ID numbers in cookie make them ripe for forgery
Sites rely on cookie expiration to terminate sessions You can modify cookies to extend time
Bottom line: Never trust anything from an http request
Key Issue: Build vs. Measure Cultures Application Development groups are
building technical capabilities based upon evolving business requirements
Corporate IS Security dept. in charge of ongoing security operations
Additional Challenges
• Most organizations do not have sufficiently skilled resources to cope with application security assessments
• Development teams typically under deadlinesI love deadlines. I especially love the whooshing sound they make as they fly by. --Douglas Adams, Author, Hitchhiker's Guide to the Galaxy.
Emerging Best Practices
Security must become a key aspect of the development processSecurity requirements reflected in design plan
Ensure the security is part of the iterative development processChanges to web sites are ongoing and are not
staticQA Group should not be last line of defense
Code Evaluation Paths
Code review – auditing source codeExpensive, time consuming, and takes
expertise Application assessments – reviews
functionality and interactions of compiled applications in real-life environmentsPotentially superficial and only capture a % of
actual vulnerabilities in custom code
Application Security Reviews
Internal or 3rd party process to assess internally developed applications
Assessment reviews major web app vulnerabilities
Use best-of-breed tools and custom scripts Integrated with client development schedule
Reviews designed to coincide with key development milestones of client project
Application Security Reviews
Commercial security scanners are becoming more widespread
Automated tools are great first-round way to assess potential vulnerabilities
However, in-depth assessments use custom scripts and code reviews (sometimes) Analogy of network scanners
Consider Augmenting security team with internal or external .Net and Java security experts
Assessment Benefits 3rd-party assessment of applications by noted
experts; Increase confidence & reliability in application
Compliance with government regulationsSarbanes Oxley, GLB, HIPAASatisfies potential SEC audit objectives
Knowledge transfer to clients on development techniques for secure applications
Wrap up
Application Security is emerging as a critical aspect of enterprise security
Emerging best practices include iterative assessments and defense in depth
Cultural, organizational, and technical challenges all may hinder an effective strategy