Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in Application & SDLC

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security in Application & SDLC"— Presentation transcript:

1 Security in Application & SDLC
Barkan Asaf Nov, 2006

2 Security Perimeter Placeholder for David Murphy External Network
Application Load Balancer App Server Application Layer Application Client Databases Proxy Web Server Hardened OS Placeholder for David Murphy Network Layer Firewall Firewall Firewall External Network DMZ Internal Segment Internal Segment

3 Security Regulations & Standards
"70% of today's successful hacks involve Web Application attacks " SPI Dynamics

4 Vulnerability Stack & Security scanners
Web Application Security scanner Network level Security scanner

5 Technical vs. Logical Vulnerabilities
Logical Flaws Security vulnerabilities that arise with some contextual logic in application. Example: Multi step procedure that can be bypassed with direct invocation Technical Vulnerability Security vulnerabilities that can be discovered without any contextual logic Examples: HTML Injection SQL Injection Web Application scanners limitations/challenges Session state management - Script parsing Logical flows Custom URLs Privilege escalation False negative/positive Technical vs. Logical Vulnerabilities at WhiteHat

6 Security Tollgates in Software Development Life Cycle (SDLC)
Release Cycle Product Requirements Functional Design Technical Design Implementation Testing Beta Security Tollgates Security Requirements Document Architectural Risk Analysis Secure Coding Security Testing

7 Unvalidated Input (A1) Validation layers Description
HTTP inputs into the application are not validated. Include URL, Headers, query strings, cookies, form fields, hidden fields. Leads to almost all web application vulnerabilities. Threats Client-side Attacks (3), Command Execution (4), Denial of Service (6.2) Demonstration Validation layers Counter measures Use Application level validation that includes: Strong data type Length Logical Boundaries Legal characters Correct Syntax Demonstration: Change loan rate

8 Broken Access Control (A2)
Description Authorization boundaries in code are broken or not properly enforced. Threats Credential/Session prediction (2.1), Insufficient Authorization (2.3) Insufficient process validation (6.4) Counter measures Robust authorization management Do not trust client side tokens for authorization Authorize all requests except anonymous objects Block resource enumeration and Forced Browsing in application Demonstration: Privelege escalation Change the Admin=false in cookie response to True All admin section become available 2) Anonymous web services First show the WS calls in Admin section Now invoke anonymous call to the GetUserDetail_using_loginID WS Use the Watchfire HTTP request editor POST details in : WScall_getUserInfobyID_JV.txt

9 Broken Authentication & Session Management (A3)
Description A weak implementation of Authentication framework or unsecure Session management. Threats Brute Force (1.1), Insufficient Authentication (1.2), Insufficient session expiration (2.3), Session fixation session (2.4), Session prediction (2.1) Demonstration Counter measures Use Random GUID as session indication Assign session id only after authentication Assign new session id when change from HTTP<->HTTPS Correlate session indication with valid session object in application Use standard and robust Password policy enforcement Use standard and robust Lockout policy enforcement Do not trust client to send session state (session GUID only) Demonstration: 1) Authentication brute force Show with Scarab the CookieLoginAttemp cookie Change the CookieLoginAttempts=5 header to 3333 in response and see the next iteration for brute force 2) Random Session ID Capture few requests to : with the sessionID analyzes plug-in and show a random ASP session id and explain importance of random

10 Cross Site Scripting (A4)
Description Attacker is using a vulnerable web application into sending unintentionally a user (Victim) a malicious active script that will be executed on its browser and breach his security framework. Threats Client-side attacks (3) Demonstration Demonstration XSS Demo Counter measures Use Application level validation that will either negatively or positively validate all inputs coming from untrusted clients. Use HTML encoding centrally in presentation layer Demonstration: Use the Watchfire demo

11 Buffer Overflows (A5) Description
The attacker sends data to a program, which it stores in an undersized stack buffer. The result is that a either corrupted or malicious code is executed. Buffer overflow vulnerabilities typically occur in code that: Relies on external data to control its behavior Depends upon external properties of the data Is so complex that a programmer cannot accurately predict its behavior Threats Buffer overflow (4.1) Code Example char buf[BUFSIZE]; gets(buf); Counter measures Use interpreted languages as Java/Python  Validate your input boundaries and size before processing

12 SQL Injection - Code example
Injection Flaws (A6) Description Attacker is using Injection flaws to relay malicious code through a web application to another System. The code is executed on behalf of the web application. Threats Command execution (4), Denial of Service (6.2) Example SQL Injection - Code example Counter measures Use Application level validation that will either negatively or positively validate all inputs coming from untrusted clients. Use prepared statements and set each parameter before use in query Show the SQL injection code examples in the link Demonstrate SQL queries to students to understand Demonstrate the SQL Injection using login page in Hackme bank Demonstrate the SQL injection flaw in the changing password by putting ‘ in the new password and see the SQL error 4) Demonstrate the XP cmd shell execution as last demonstration in lecture

13 Improper Error Handling (A7)
Description Improper handling of errors in application can result with the application sending the attacker Error messages that reveal implementation/architecture/components information he should not know. Threats Information leakage (5.2) Example throw SQL exceptions back to client throw stack trace on Web service exceptions throw Application server stack trace back to client Demonstrate the error messages return from the SQL injection when using the UNION command: ' having 1=1– This will give us the name of the users table fsb_users Counter measures Catch all exceptions in server side – never throw exception to client Handle all errors in back end Do not send the user excessive information that is not required as Platform architecture ports in use , components in use and more.

14 Insecure Storage (A8) Description
Improper usage/implementation of cryptographic in code application. Examples Saving private key of SSL server on File system as clear text Saving DB connection object as clear text on file system Failure to encrypt critical data Poor sources of randomness Poor choice of algorithm Attempting to invent a new encryption algorithm Failure to include support for encryption key changes Threats Information leakage (5.2), Insufficient Authentication (1.2) Demonstration: Show what happen when we ask for the Web.config file search for the Web.config.bak Open the Web.config.bak and search for information. Find the string to the admin section <add key="AdminSectionKey" value=" " /> Explain the clear text importance and use this key To hack into the Admin section Counter measures Use well known and proven cryptographic Choose a suited algorithm according to security/performance trade-off Make secrets in memory not serialized Make keys replaceable and configurable by size if possible Encrypt all private/confidential credentials

15 Denial Of Service (A9) Description All actions or procedures in application that will make it unusable. Network level attacks are not Included in here. Threats Denial of Service (6.2) Example Resource starvation when all concurrent users are used by zombies HTML persistence injection causes DoS to the application main page Demonstrate: Inject non terminated HTML element to the post messages Section in hackme bank <script> Show how the section become unusable after submitting Counter measures Use well known and proven cryptographic Choose a suited algorithm according to security/performance trade-off Make secrets in memory not serialized Make keys replaceable and configurable by size if possible Encrypt all private/confidential credentials

16 Insecure Configuration Management (A10)
Description Insecure usage of servers/components configuration. Mostly out of the box settings are not secure. Examples Unpatched security flaws in the server software Web server Misconfigurations (directory listing/traversal enabled) Unnecessary default, backup, or sample files Improper file and directory permissions Unnecessary services enabled Default accounts with their default passwords Administrative or debugging functions that are enabled or accessible Overly informative error messages (more details in the error handling section) Unsecre usage of certificates Demonstration: Talk about the web.config.bak file as example Threats Insufficient Authentication (1.2), Insufficient authorization (2.2), SSI Injection (4.6), Directory indexing (5.1), Information leakage (5.2), Path traversal (5.3), Predictable Recourse Location (5.4), Abuse of Functionality (6.1) Counter measures make hardening procedure to infrastructure before shipping

17 Summary Loose the naïve approach regard client’s behavior *
Validate all inputs from untrusted clients * No Such thing as Security in client side Use standard security solutions/configuration Make sure the client gets only the responses he needs * Leverage the energy, knowledge, plays, ER Understand quota, territory, accounts Make your number Remove legacy/unnecessary resources from production app

18 Cross Site Scripting (XSS)
The script, sent by the attacked client to the server was then received again by the client, now with the proper security context, and was able to send the cookie to the attacker Placeholder for David Murphy A4

19 SQL Injection – Code example
By passing Login logic using SQL Injection flaw SQLQuery = "SELECT Username FROM Users WHERE Username = ‘" & strUsername & "‘ AND Password = ‘" & strPassword & "‘" strAuthCheck = GetQueryResult(SQLQuery) If strAuthCheck = "" boolAuthenticated = False Else boolAuthenticated = True End If Explanation: If Username=‘ or 1=1 this will be evaluated to true always and the SQLQuery will be resolved to true Returning the first record in Users table and bypassing the login logic Placeholder for David Murphy Using UNION to concatenate data to flawed query SELECT FirstName, LastName, Title FROM Employees WHERE City = ‘‘ UNION ALL SELECT OtherField FROM OtherTable WHERE ‘‘=‘‘ Explanation: City = ‘’ will return null from DB and the only record sets returned From DB will be from the new query A6

20 Validation layers (Secure in depth)
Web related issues Logic boundries Persistence breaches Placeholder for David Murphy A1

Download ppt "Security in Application & SDLC"

Similar presentations

Webgoat.

Webgoat.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Vulnerability Assessment Course Applications Assessment.

Vulnerability Assessment Course Applications Assessment.
Web Application Security Vulnerabilities Yen-Cheng Chen Department of Information Management National Chi Nan University Puli, 545 Nantou, Taiwan

Web Application Security Vulnerabilities Yen-Cheng Chen Department of Information Management National Chi Nan University Puli, 545 Nantou, Taiwan
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
1 Security in Application & SDLC Barkan Asaf Nov, 2006.

1 Security in Application & SDLC Barkan Asaf Nov, 2006.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Web App Access Control Design

Web App Access Control Design
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

Similar presentations

Ads by Google