Evolving Threats

Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls / IDS / IPS Firewall Databases Backend Server Application Servers Info Security Landscape

Hackers Exploit Unintended Functionality to Attack Apps Unintended Functionality Actual Functionality Intended Functionality

The OWASP Top 10 Application ThreatNegative ImpactExample Impact Cross Site scriptingIdentity Theft, Sensitive Information Leakage, …Hackers can impersonate legitimate users, and control their accounts. Injection FlawsAttacker can manipulate queries to the DB / LDAP / Other system Hackers can access backend database information, alter it or steal it. Malicious File ExecutionExecute shell commands on server, up to full controlSite modified to transfer all interactions to the hacker. Insecure Direct Object ReferenceAttacker can access sensitive files and resourcesWeb application returns contents of sensitive file (instead of harmless one) Cross-Site Request ForgeryAttacker can invoke “blind” actions on web applications, impersonating as a trusted user Blind requests to bank account transfer money to hacker Information Leakage and Improper Error Handling Attackers can gain detailed system informationMalicious system reconnaissance may assist in developing further attacks Broken Authentication & Session ManagementSession tokens not guarded or invalidated properlyHacker can “force” session token on victim; session tokens can be stolen after logout Insecure Cryptographic StorageWeak encryption techniques may lead to broken encryptionConfidential information (SSN, Credit Cards) can be decrypted by malicious users Insecure CommunicationsSensitive info sent unencrypted over insecure channelUnencrypted credentials “sniffed” and used by hacker to impersonate user Failure to Restrict URL AccessHacker can access unauthorized resourcesHacker can forcefully browse and access a page past the login page

Common Web Application Vulnerabilities

Contd..

Where Do These Problems Exist? Type: Customer facing services Partner portals Employee intranets Source: Applications you buy Applications you build internally Applications you outsource

How common are these issues ? 80% of Websites and applications are vulnerable to these attacks – Watchfire Research

Motives Behind Application Hacking Incidents Source: Breach/WASC Web Hacking Incident Annual Report

Web Hacking Incidents by Industry

What is the Root Cause? Developers not trained in security Most computer science curricula have no security courses Under investment from security teams Lack of tools, policies, process, etc. Growth in complex, mission critical online applications Online banking, commerce, Web 2.0, etc Number one focus by hackers 75% of attacks focused on applications - Gartner Result: Application security incidents and lost data on the rise

Building Security Into the Development Process Test existing deployed apps Eliminate security exposure in live applications Production Test apps before going to production Deploy secure web applications Deploy Test apps for security issues in QA organization along with performance and functional testing Test Test apps for security issues in Development identifying issues at their earliest point Realize optimum security testing efficiencies (cost reduction) Development Security requirements, architecture, threat modeling, etc Define/Design

Security Testing Within the Software Lifecycle Build Developers SDLC CodingQASecurityProduction Application Security Testing Maturity

Other Vector for Attack Network Cloud LAN/WAN Network Devices Database Processed information of Financial data People Private Information Government's Confidential data

Resources Sans.org Nist.gov Tools Nikto Burp Zap Proxy W3af Nmap shodan