Date post: | 11-Apr-2017 |
Category: |
Technology |
Upload: | dileep-kalidindi |
View: | 133 times |
Download: | 0 times |
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.1
DILEEP KALIDINDI23rd June 2015
Securing Enterprise & Cloud Applications
Concept Mashup#Cryptography #CloudSecurity #SecureCoding #PenentrationTesting
About Me ..!!
Dileep Varma Kalidindi
Senior Engineer @Responsys (since Apr’14), Circles Team.
Fascination: Problem Solving , Distributed & BigData churning systems.
Past: 8+yrs with VeriSign, Informatica Labs, NTT Data.
As an Aam Admi (Not Jhadu wala app) - ? Had your (Digital) assets ever been hacked ?? How many phishing/malware emails do you have in your Gmail inbox ?
As a Cloud Product Engineer ? Application Security - What scares hell out of you.? Can you host Responsys Customer Credit cards information on some Oracle Cloud X
product.? Did you ever do a HotFix to fix a Security vulnerability in your code ? Do we have an explicit Secure coding check list & Security testing as part of Release
deliverables Absolute Security is a myth !!
What do you think ?
HeartBleed Bug at SSL/TLS – view data over HTTPS Open SSL 1.1 Encryption flaw – missing validation on a variable (length)
Data breach on Target, HomeDepot - POS system – 56m Creditcard details & 53m emails
APPLE ROT’s – Man in the middle attack through SSL encryption flaw – celebrity pictures exposed.
Drupal Boogey man – SQL Injection attack Facebook scams – 8,50,000 – cost in 2014 > 12.5 B$ 3rd party apps- Drop box passwords leaked, Snapchat images leaked Stuxnet, FLAME
Secure world – Reality – Top 2014 flaws
Agenda
Cyber Threats and Impact Crypto Concepts Cloud - Data security considerations Java Security Landscape Secure Coding practices Pen Testing DEMO
Attack landscape – basic identification Attacks – Secrecy (Stealing), Integrity (Phishing), Availability (DoS) & APT’s (persistent)
Attack vectors – path by which an attack takes places Kernal/Design flaws – Buffer overflow (Stack/heap) – Insufficient Input validation (Injection) – Misconfiguration – Symlinks – File Descriptors – Race conditions – Incorrect permissions – Social engineering.
Operational Impact Denial of Service – host/network/distributed, Installed Malware (Remote code), Web/Root/User compromise
Informational Impact Distort – Disrupt – Destruct – Disclosure & Discovery
Target SystemsOS (Kernal/user/Driver), Network, Application (Server, DB, Email, Web & Client)
Cryptography – Back to basics & concepts
May 2, 2023 7
Cryptography - Basics & Concepts
Security Goals• Data Integrity, Authentication, Non repudiation, Confidentiality & Trust• Deals with making communications and storage secure.
Encryption / Decryption• Encryption: clear-text message to cipher-text• Decryption: Cypher-text to clear-text
Types of encryption algorithms• Symmetric Key.• Asymmetric Key.
Cryptography - Hashes
Infeasible to reverse – 1 way encryption Variable-length input string to a short fixed-length binary sequence. Efficient – easy to compute, Infeasible to craft collisions Used for storage of passwords Algos– MD 5 128 bits (Broken),
SHA1 160b & SHA – 256 & 512 Attacks – Dictionary / Rainbow attacks – Hash collision Mitigation – Use random salts, SHA-256,2 factor auth
Symmetric Crypto - Overview
Symmetric – Same key used for encryption and decryption Need a mechanism to exchange the shared key securely. Key must be secret and safely stored. For Storage and secure transmission Key ciphers are efficient
Inexpensive in Strength, encryption/decryption Algos – DES, 3 DES, AES, RC4 Attack – Cryptanalysis & Key compromise Mitigation – secure key store
Asymmetric Crypto - Overview
Public key is published to all & Private key is a secret (to be stored) Encrypt with one key & decrypt with other Infeasible to compute private key from public key Smaller keys are efficient
Longer keys have higher crypto strength Secure Communications – Key exchange during session establishment – SSL, PGP & SSH Mechanisms – Digital Signatures & Certificates
Digital Signatures - Overview
Hashing & Asymmetric crypto Data is cleartext but Signature is hashed Alog – RSA/SHA-x, DSA Applications – PGP Signed emails,
- SSL Certs
Digital Certificates- Signatures + Chain of trust
Builds on Digital signature & PKI Certificate - Digitally signed public key
- Is Public & valid for a time- Certifie that pulic key identifies subject- Affixed with CA signature
Chain of trust with CA’s – VeriSign, Symantec
Data security considerations for Cloud
May 2, 2023 14
Cloud data security - Issues
Data security is crucial for enterprises and protection is vital for reputation. Cloud Computing adoption – major deterrent is Data Security Concern.
• Data moves out of enterprise boundaries• Trust on cloud providers• Shared infrastructure.
Benefits are compelling if comprehensive and non-intrusive data security. Top Cloud data security issues - Gartner
Xen Hypervisor virtualization bug Breach notification and data residency Encryption key management & resiliency of encryption system.
Cloud data security – Who is responsible
Encryption of data (sent to Cloud) is always a good practice Different level of providers for overall security Shared infrastructure can make a Security breach higher. API’s allow many admin functions – weakness in API can be catastrophic. Encryption layers: Higher level encryption can protect but hard (& in efficient)
Still who has the keys ? – provider Disks encrypted by provider – he can see the content File systems encrypted by provider – he can see file content !!
Manage your cloud
1-way hashes : Store passwords in db with 1-way hashes with salt for Apps hosted by you (in cloud).
Symmetric Crypto: Secure way to store uploaded data, sensitive personal information in databases, VM images,
emails etc. Encrypt sensitive data stores in database, search indexes in the apps provided by you.
Asymmetric crypto: Use HTTPS for all confidential exchanges Sign emails especially for input emails that trigger workflow action. Implement Certificate-based client authentication properly.
Cloud data security - trends
Hardware Security Modules (HSM) Cryptographic black box – input data comes out transformed (crypto) Secure & tamper – resistent storage for high – value keys
Cloud Encryption gateways
Fully homomorphic encryption (Advanced research)
Java Security Landscape
May 2, 2023 19
Security Overview - Java
Java platform at coreType safety, Auto GC, Secure class loading & Verification.
Basic principlesImplementation independence, interoperability & Algo extensibility.
Robust Bytecode verification and class loading. API’s to integrate Security into Java application code,
Cryptography, PKI (Public key infra), Authentication,Secure comm & Access control
Security model - evolution
JDK 1.0 – allowed trusted (in JVM) & untrusted Remote code in Sandbox (Applets)
JDK 1.1 – allowed trusted remotecode in JVM
Java 2 Platform Security Model
Security model
JVM View:
Security model – policy stages
Secure Class loading
PKI – Public Key Cryptography –Secure exchange of information keys, certificates, public key encryption, and trusted Certification Authorities (CAs)
PKI tools – keytool, jarsigner Secure Communication – SSL / TLS, SASL, GSS-API & Kerbos
Other concepts:
Secure Coding Practices
May 2, 2023 25
Secure Coding – safeguard from Injection
Avoid Injection attacks – SQL Injection – Injecting SQL snippets into un-sanitized form fields. Regex Injection – Sanitize Regular expressions (in search fields) Log Injection – Do not log un-sanitized inputs
– Va
Coding errors are major cause of software vulnerabilities- 64% percent of 2500 in National Vulnerability database
Comprehensive list @
CERT Standards
Lets drive by code
Secure Coding – avoid Cross site scripting
XSS – injection of client side malicious script into Web pages through web requests or un-validated dynamic content.
Mozilla XSS-Me Demo Reflected (non-persistent) vs Persistent XSS attacks – Demo (http://testasp.vulnweb.com/search.asp )
• Injected through data in HTTP query params or form submissions • Non validated user supplied input in Response can cause this.• When user script input is stored in server it becomes Persistent attack. (Search user preferences)
XSS Prevention Model Use HTTPOnly flag on session cookie (to avoid access by any java script) Content security policy on browser side
– Va
Secure Coding – avoid Cross site scripting
Security Coding practices - Java
Prevent Denial of Service (Dos attacks) Avoid serving expensive requests (repeated large files download) Set limits for Entity expansions and attributes (with XML) - XMLConstants.FEATURE_SECURE_PROCESSING
Release all resources in all cases (finally block, or use try-with) Best practices for Input Validation & Data Sanitization
Do not trust contents of hidden form fields – Sanitize them !! Perform String modifications before validations – (Avoid XSS) – Java example
Object orientation security practices Compare Class not Class names
Source code analysis tools – BugScout, Pitbull SCC
– Va
Pen Testing
May 2, 2023 30
Penetration Testing
Method to evaluate security of our web application – active analysis for vulnerabilities
Hack your own application – before someone does !! Testing Phases – SetUp, Passive Phase & Active phase Attack Environment (SetUp)
Set-up a Simulator (With Firewalls, LB’s, Proxies and Production Config for appServers). Try to penentrate as a stranger without any privileges on resources.
What do we need ? Reconnaissance about the app Right tools (Plugins, Exploit frameworks, Crawlers) System to Hack & Mindset to Crack !!
– Va
Pen Testing – Passive
Reconnaissance – Know your target Determine application types & versions Refer to latest vulnerabilities with OSVDB / NVD Observe regular application behaviour – RI Advanced google searching Aka Google hacking https://pentest-tools.com/reconnaissance/google-hacking
Application mapping - https://pentest-tools.com Active Phase – attack plan
Business logic Authentication, Authorization & Session Management Data Validation & Denial of Service
– Va
Pen Testing – Tools
Fuzzing – Automated or semi-automated way to provide invalid, unexpected or random data to inputs of a computer program.
Required technique to find out SQL Injection, DDos & XSS Scripting attacks. Tools:
Exploit Frameworks - Metaspolit Web Proxy – BURP, Paros, Webscarab Fuzzing – WS Fuzzer Brute force – Brutus Password cracking- John the ripper Scanner – W3AF and Zap.
– Va
05/02/2023
34Confidential
References
Links & References• https
://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html#asserting_a_subset_of_privileges
• https://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html#ProviderArch
• https://www.securecoding.cert.org/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java
• https://pentest-tools.com• http://techbus.safaribooksonline.com/book/programming/java/0201787911•
05/02/2023
36
Q & A
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.37
Thank you
APPENDIX