Developing a Secure Web Application PwC Information Security
April 2007 Hui Zhu Information Security Architect Information
Security 416 9418383 Ext.13238 [email protected] Adrien Mak
Director IT Advisory Cell: 416-721-4613 Office: 416-365-8191
[email protected]
Slide 2
PricewaterhouseCoopers Date Page 2 [Slide to be removed]
Presenter: Adrien Mak & Hui Zhu Session Title: Developing a
Secure Web Application Session Description : The session will
review the web application security issues with demonstrations of
common vulnerabilities, using a case study of a web application
development project as a backdrop. We will present how to
incorporate security elements into the Systems Development Life
Cycle (SDLC) to improve the security of the application design and
implementation. This will include elements such as web application
security framework, security requirement study, threat modeling,
security testing, code review, and operational security. Content
Development Formatting: to be fixed & aligned with PDit /CIPS
template if provided. Colour to be adjusted. Adjust footer to
include PDIT or CIPS, or EnergiseIT Have marketing review &
polish Content: Overall tighten up presentation with fewer slides
Collapse section 3 and refer to external methodologies and tools
Add the case study on payment registration web application
(sanitize first). Tighten up summary / key messages
Slide 3
Agenda 1. Facts of Web Application Security 2. Web Application
Vulnerability Classification 3. Case Study Developing a Secure Web
Application 4. Integrate Web Application Assessment and code Review
A few lines of code can wreak more havoc than a bomb. - Tom Ridge
(Former) Secretary of U.S. Department of Homeland Security
Slide 4
PricewaterhouseCoopers Date Page 4 Agenda 1. Facts of Web
Application Security 2. Web Application Vulnerability
Classification 3. Case Study Developing a Secure Web Application 4.
Integrate Web Application Assessment and code Review
Slide 5
PricewaterhouseCoopers Date Page 5 The Facts of Application
Security Industry Perspectives 75% of attacks today happen at the
Application (Gartner). The cost of correcting code in production
increases up to 100 times as compared to in development... (MSDN
November, 2005) PwC Perspectives 95% apps we tested had serious
security bugs! 100% 5-year old apps have serious security bugs The
cost and reputation savings of avoiding a security breach are
priceless
Slide 6
PricewaterhouseCoopers Date Page 6 Security Professionals Dont
Know The Applications As an Application Developer, I can build
great features and functions while meeting deadlines, but I dont
know how to develop my web application with security as a feature.
The Application Security Gap As a Network Security Professional, I
dont know how my companies web applications are supposed to work so
I deploy a protective solutionbut dont know if its protecting what
its supposed to. Application Architect and Developers Dont Know
Security Why Application Risks Occur Source: The Hacker Evolution:
New Trends in Application Vulnerabilities and Exploits Tom
Speigner, SPI Dynamics
Slide 7
PricewaterhouseCoopers Date Page 7 What are the typical threats
applications face Server (Web Server) PHP Perl ASP.Net J2EE
mainframe SQL Database Client (Browser) HTTP (http tcp/80 and SSL
https/443) Firewall Database binding (ODBC, JDBC, ADO, SQLNet)
Web-server Application Server Cross-site scripting Spoofing Privacy
Sniffing Man-in-the middle Session Hijack Buffer overflow Format
string Directory Traversal Default Accounts Sample Applications
Input validation Output validation Metacharacters Buffer Overflow
SQL injection Commands Misconfiguration
Slide 8
PricewaterhouseCoopers Date Page 8 Business Threats
Environmental Threat Inappropriate Action IT Malfunction External
Threat Internal Threat Developer Sys Admin Internal staff App Admin
Power failure Fire Other nature disaster Hacker Activist Industry
Spy Foreign government Intelligence agents Application user
Accidental human error Deliberate human error Computer components
failure Network failure Hardware failure Software bug ISP failure
Financial loss Loss of IP Loss of trade secrete Privacy
Non-compliance Business interruption Loss of reputation Loss of
customer confidence Industry espionage Impact of Productivity Cost
Revenue
Slide 9
PricewaterhouseCoopers Date Page 9 Agenda 1. Facts of Web
Application Security 2. Web Application Vulnerability
Classification 3. Case Study Developing a Secure Web Application 4.
Integrate Web Application Assessment and code Review
Slide 10
PricewaterhouseCoopers Date Page 10 PwC Web Application
Vulnerability Classification Input ValidationBusiness
LogicAuthenticationAuthorizationSession Management Script Injection
SQL Injection OS Command Injection LDAP Injection Cross Site
Scripting (XSS) Buffer Overflow Input Validation Evasion Need to
know Separation of Duty Reconciliation Transaction integrity
Authentication Request Security Authentication bypass User Name
Password Quality Password Reset Password Lockout User Name
Enumeration Authentication replay Parameter Manipulation Input
manipulation Authorization Application Flow Controls Access Control
Matrix Compliance Least Privilege Session Token Security Session
Timeout Session Reuse Session Deletion Session Storage Session
Token connect Data ProtectionConfiguration Hardening
LoggingArchitectureOperation Sensitive Data in HTML Data Storage
SSL security Data Transport Security Client-site Data Security HTTP
Methods Know Vulnerabilities/ Security Patches Back-up Files
Obsolete Files Web Server Configuration Infrastructure Admin
Interface Application Admin Interface Transaction Log
Authentication Log Error Log Network Security Server Security
Database Security Perimeter Security Backup and Recovery Problem
Management Incident Response BCP and DRP
Slide 11
PricewaterhouseCoopers Date Page 11 Demo [5 minute
demo/walkthrough of web application vulnerability
classifications]
Slide 12
PricewaterhouseCoopers Date Page 12 Agenda 1. Facts of Web
Application Security 2. Web Application Vulnerability
Classification 3. Methodology and Approach 4. Case Study Developing
a Secure Web Application
Slide 13
PricewaterhouseCoopers Date Page 13 Integrate Security
Processes into SDLC
PricewaterhouseCoopers Date Page 15 Key SDLC Processes -
Security requirement engineering Approach Interview with
stakeholders Review relevant security document (regulatory, law,
contract, policy) High-level risk assessment Security requirements
includes requirements for Confidentiality Integrity Availability
Non-repudiation Authentication Authorization
Slide 16
PricewaterhouseCoopers Date Page 16 Key SDLC Processes Threat
Modeling Approach -Establish security context Security requirement
Application use scenarios (public, anonymous, registered, internal
admin, etc) External dependencies (network, system, application,
environment, COTS, modules, etc) Trust boundaries Security
assumptions -Threat analysis Data Flow Diagram (DFD) analysis at
various levels for architecture and detailed design threat modeling
-Risk rating -Mitigation selection -Iteration
Slide 17
PricewaterhouseCoopers Date Page 17 PwC Application Security
Assessment and Code Review Services Summary The application
security assessment and code review service takes an integrated
approach to application security issues. The service is performed
by qualified PwC security personnel to provide clients with an
comprehensive understanding of their current application security
posture and impact to the business, outline areas for improvement,
which would ensure compliance with their business security
requirements and alignment with their business objectives.
Advantage -Save cost and minimize the impact to application
operation -Ensure completeness and improve efficiency of
application security assessment and code review -Security
assessment and source code review are customized and prioritized
based on clients specific application security profile -Integrated
code review with assessment promotes cross-verification of the
findings, and ensure the accuracy of the results. Key Points Each
engagement contains objectives specific to the clients needs. Our
methodology is intended to be universally applicable regardless of
technology, architecture or scope, but adaptive to individual
clients security objectives and requirements. The key points of our
service are: - To provide a strong risk management framework for
testing; - To provide a risk and business based focus to testing
and provide results that link to business objective and risk; - To
ensure maximum value and validity of test results by optimizing the
testing to balance risk with depth of testing; - To provide
comprehensive root cause analysis of findings to allow for the
development of strategic solutions.
Slide 18
PricewaterhouseCoopers Date Page 18 Security Source Code Review
Review application source code in accordance with the test plan and
test procedure to evaluate security architecture and coding
security, to identity security weakness and vulnerability.
Objective: Determine security weakness and vulnerability in
application source code. Approach: -Review for common application
vulnerability -Review for design deficiency -Review for malicious
code -Review for business logic design flaw -Vulnerability analysis
and verification Runtime Security Assessment Perform runtime
security assessment in accordance with the test procedure to
identity the weakness and vulnerability, determine the
effectiveness and efficiency of the security controls. Objectives:
Identity application weakness and vulnerability through runtime
security assessment. Approach: -Application infrastructure security
testing -Application design and coding security testing -Business
logic security testing -Vulnerability analysis -Vulnerability
verification Application Security Baseline Establish application
security baseline including security requirements, data assets,
threat and risk, controls. Develop test plan and test procedure.
Objectives: Determine application security profile to plan and
prioritize the assessment. Approach: - Application security
requirement gathering - Application technology survey -Threat
Modeling -Application security baseline development -Application
test plan and procedure development Integrated Application Security
Approach -- Application Security Assessment and Code Review Date
April 27, 2006 A Security Requirement Gathering B Threat Modeling C
Test plan and procedure D Application Testing J Risk assessment E G
Source code security profiling F Vulnerabili ties analysis I Code
Security verification H Code security review Formal Approval Point
Vulnerability verification Report Analyze the findings, evaluate
the risk and business impact, generate report with executive
summary as well as technical details of the findings and
recommendations. Objective: Evaluate and report the findings and
recommendations Approach: -Risk Assessment and Business Impact
analysis -Reporting Reporting K
Slide 19
PricewaterhouseCoopers Date Page 19 Agenda 1. Facts of Web
Application Security 2. Web Application Vulnerability
Classification 3. Methodology and Approach 4. Case Study Developing
a Secure Web Application
Slide 20
PricewaterhouseCoopers Date Page 20 Case Study Developing a
Secure Web Application Sample Web Application Development Projects
Security Requirement Engineering
Slide 21
PricewaterhouseCoopers Date Page 21 Security Requirement
Engineering
Slide 22
PricewaterhouseCoopers Date Page 22 Threat Modeling Threat
Modeling.
Slide 23
PricewaterhouseCoopers Date Page 23 Integrated Security
Assessment and Code Review Integrated security assessment and code
review
Slide 24
PricewaterhouseCoopers Date Page 24 Agenda 1. Facts of Web
Application Security 2. Web Application Vulnerability
Classification 3. Methodology and Approach 4. Case Study Developing
a Secure Web Application 5. Summary
Slide 25
PricewaterhouseCoopers Date Page 25 Summary Developing a Secure
Web Application PracticeBenefit Develop SDLC Security Policy Ensure
requirement for application security is well communicated. Develop
SDLC Security standard, guideline and procedure Ensure processes
are in place to management the development security Ensure all
applications are in compliance with SDLC security policy
Communicate specific application security requirement to
application team Adopt Threat Modeling Identifies of security
vulnerabilities Increases awareness of application architecture
Train development team Avoids common security defects Correct
application of security technologies Code Review Secures code that
Accesses the network Runs by default Uses unauthenticated protocols
Runs with elevated privileges Security Assessment Identity critical
security vulnerability and exposure by independent party Assign
Responsibility Establish responsibility and accountability for
application security
Slide 26
PricewaterhouseCoopers Date Page 26 Summary - Critical Thinking
Questions -People Software development organization structure? What
security skills the project team has? Any resources with security
skills can be allocated to the project? Does QA or security team
has the capability to perform application security assessment?
-Process Is IT governance established? Is formal SDLC practiced?
Software quality management practices? What security processes are
necessary to achieve the application security objective?
-Technology Security standards, guidelines? Security testing
tools?
Slide 27
Thank you. 2007 PricewaterhouseCoopers LLP, Canada.
PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP,
Canada, an Ontario limited liability partnership, or, as the
context requires, the network of member firms of
PricewaterhouseCoopers International Limited, each of which is a
separate and independent legal entity. *connectedthinking is a
trademark of PricewaterhouseCoopers LLP.