How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd. Background Enterprise application development company with security expertise Large-scale web application development projects Application-level integration Application security assessments and secure application development What is Application Security? Security associated with custom application code Focus is on web application security Versus non-Internet facing applications Protection of online customer data given recent privacy lapses Software Implementation – Perfect World Actual Functionality Intended Functionality Software Implementation – Real World Actual Functionality Intended Functionality Built Features Unintended And Undocumented Functionality Bugs Nature of HTTP and the Web Hyper-Text Transport Protocol (HTTP) is a light-weight application-level protocol with the speed that is necessary for distributed, collaborative information systems. HTTP is a state-less, connection-less transmission protocol Ports 80 & 443 (HTTP & HTTPS) Assumption: web servers expect request to come from browser - implicitly trust input Why Application Security? More business-critical apps and customer data online Attacker community focusing on port 80/443 Complexities involved with interaction between server, 3rd party code, and custom business logic 10% of FBI/CSI Study respondents reported misuse of public web applications Compliance pressures (SOX, GLB, HIPAA) Why Application Security? Rapid dev cycle creates control weaknesses Much investment focused on infrastructure Well understood threats, mature products Firewalls, authentication, intrusion detection Security many times an overlooked facet of web development projects Additional Challenges • Most organizations do not have sufficiently skilled resources to cope with application security assessments • Development teams typically under deadlines I love deadlines. I especially love the whooshing sound they make as they fly by. --Douglas Adams, Author, Hitchhiker's Guide to the Galaxy. Examples of Potential Vulnerabilities Parameter Tampering Price information is stored in hidden HTML field with assigned $ value Assumption: hidden field won’t be edited Attacker edits $ value of product in HTML Attacker submits altered web page with new “price” Still widespread in many web stores Price Changes via Hidden HTML tags Price Changes via Hidden HTML tags Cookie Poisoning Attacker impersonates another user Identifies cookie values that ID’s the customer to the site Attacker notices patterns in cookie values Edits pattern to mimic another user Cookie Poisoning Cookie Poisoning Cookie Poisoning Cookie Poisoning Unvalidated Input Attack Exploitation of implied trust relations Instead of: [email protected] Attacker inputs: ////////////////////////////////////////////////// Exploits lack of boundary checkers on back-end application Unvalidated Input Attack Unvalidated Input Attack Unvalidated Input Attack Unvalidated Input Attack Potential Strategies to Build Secure Apps Potential Strategies to Build Secure Apps OWASP resources Attack modeling Bridge Cultural gap Assess SDLC Application Security Assessments Open Web Application Security Project Top Ten List 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Unvalidated Input Broken Access Control Broken Authentication and Session Management Cross-Site Scripting Flaws Buffer Overflows Injection Flaws Improper Error Handling Insecure Storage Denial of Service Insecure Configuration Management *Source www.owasp.org OWASP Testing Background of OWASP testing No existing standards prior to OWASP Threat groups – not specific threats High level concepts Industry group designed to develop common app pen test language Bridge Cultural Gap Between Security and Developers Key Challenge: Build vs. Measure Cultures Application Development groups are building technical capabilities based upon evolving business requirements Corporate IS Security dept. in charge of ongoing security operations Include Security in SDLC Security must become a key aspect of the development process Security requirements reflected in design plan Ensure the security is part of the iterative development process Changes to web sites are ongoing and are not static QA Group should not be last line of defense Attack Modeling Provides deeper understanding of risk areas Distributed software can be attacked at many points Helps developers think differently Want to create software that is secure “enough” Attack Modeling ID assets Create an architecture overview Understand application w/ use cases and other modeling tools ID potential threats Enumerate each threat Rank order threats for trade-off analysis Code Evaluation Paths Code review – auditing source code Expensive, time consuming, and takes expertise Application assessments – reviews functionality and interactions of compiled applications in real-life environments Potentially superficial and only capture a % of actual vulnerabilities in custom code Application Security Reviews Internal or 3rd party process to assess internally developed applications Assessment reviews major web app vulnerabilities Use best-of-breed tools and custom scripts Integrated with client development schedule Reviews designed to coincide with key development milestones of client project Application Security Reviews Commercial security scanners are becoming more widespread Automated tools are great first-round way to assess potential vulnerabilities However, in-depth assessments use custom scripts and code reviews (sometimes) Analogy of network scanners Consider Augmenting security team with internal or external .Net and Java security experts Assessment Benefits 3rd-party assessment of applications by noted experts; Increase confidence & reliability in application Compliance with government regulations Sarbanes Oxley, GLB, HIPAA Satisfies potential SEC audit objectives Knowledge transfer to clients on development techniques for secure applications Wrap up Application Security is emerging as a critical aspect of enterprise security Emerging best practices include iterative assessments and defense in depth Cultural, organizational, and technical challenges all may hinder an effective strategy Questions and Answers? John Dickson, CISSP [email protected] (210) 572-4400