Download presentation
Presentation is loading. Please wait.
1
Security for Managers and Executives
OWASP Education Computer based training Security for Managers and Executives Welcome to the application security training I am Nishi Kumar. Today I wanted to bring awareness about something that you all know about but really don’t understand its full extent. I would like to talk about application security Nishi Kumar Systems Architect, FIS OWASP CBT Project Lead
2
Objectives Things we can do that will help build secure applications
Bring application security awareness Things we can do that will help build secure applications Processes we can have for achieving this goal Answer some common questions How would you feel if your confidential data is stolen? Angry frustrated!!
3
How would you feel if your confidential data is stolen?
How would you feel if your confidential data is stolen? Angry frustrated!! Angry! Frustrated!
4
Identity Theft Phishing
Have you heard about Identity Theft and Phishing attacks? Phishing is the fraudulent process to get sensitive information such as usernames, passwords and credit card details by a malicious web site by pretending to be an authentic one.
5
Facebook Phishing Attack
Lures people to a fake Facebook page and prompts them to log in. This was a real life example of Phishing attack on Facebook where users were lured to provide login credentials. Facebook users got a message from a friend urging them to "check this out" and including a link to a Web page that appeared to be a Facebook log-in page Unsuspecting Facebook users get a message from a friend urging them to "check this out" and including a link to a Web page that appears to be a Facebook log-in page.
6
Article from Wall Street & Technology
This is an article from Wall Street, which talks about how security attacks against banking organizations has soared 81 percent in the first half of this year. Hacking is a multibillion-dollar business.
7
Why Should We Care? Let’s just think this through…
How likely is a successful web application attack? Stunningly prevalent Easy to exploit without special tools or knowledge Little chance of being detected Hundreds of thousands of developers, tiny fraction with security Consequences? Corruption or disclosure of database contents Root access to web and application servers Loss of authentication and access control for users Defacement Secondary attacks from your application The question is as a company why should we care about investing time and energy securing our applications? Believe it or not if applications contain vulnerabilities a successful attack is easier than you think. There are hundreds of thousands of developers in the world but only a tiny fraction of them have expertise and experience with security. Result of this is applications get compromised, sensitive data is leaked, database content get corrupted. Attackers can even get root access to web and application server. Later during this presentation I will show you how attackers can change the face of the application for their benefit. If malicious script gets injected in our application successfully then secondary attacks will happen from our application.
8
Cost of Non-Compliance
In the event of the a breach the acquirer CAN make the merchant responsible for: Any fines from PCI-Co Up to $500,000 per incident Cost to notify victims Cost to replace cards (about $10/card) Cost for any fraudulent transactions Forensics from a QDSC Level 1 certification from a QDSC The QDSC (Qualified Data Security Company certification) by Visa© authorizes a company to perform level-one onsite assessments for merchants and service providers requiring a "Report on Compliance" (ROC). I also wanted to bring some awareness about cost of non-compliance. In the event of a breach the fines that our organization will have to pay is hefty. We will have to pay fine from PCI, up to $500,000 per incident, cost to notify the victims, around 10 dollars per card to replace the card, cost of fraudulent transactions, forensic investigation and a level one certification from qualified data Security Company.
9
Cost of Non-Compliance (Cont)
Let see how this translates to a potential scenario. Take a case where 50,000 credit card data are stolen. PCI penalty is $100,000. If we don’t have self assessment then it is $500,000. Card replacement $500,000. In year 2004 cost of average fraudulent transaction was $1,235. So total cost of fraudulent transaction would be approx sixty one million seven hundred and fifty thousands dollars. Of course, no amount of money would compensate for the bad publicity. As the saying goes, that is priceless. Example: 50,000 credit cards stolen PCI Penalty - $100,000 per incident $500,000 if you do not have a self-assessment Card Replacement - $500,000 (50,000 x $10 dollars per card) Fraudulent Transaction – $61,750,000 ($1,235 x 50,000) $1, average fraudulent transaction Bad Publicity – Priceless!
10
Why Web Application Security important?
Attacks Shift Towards Application Layer Security Spending Root cause of most of these attacks is Web applications security vulnerabilities. According to Gartner - 2/3rd of all web applications are vulnerable. Organizations think if they protect their network resources their applications are safe. But that is simply not true. 75% of the attack happens through the web applications. As you can see in this chart, 90% of the security spending happens on the network layer and only 10% on the application layer. Where as 75% of the attacks are happening on the application layer and only 25% of the attack on the network layer % of Attacks % of Dollars 10% Web Applications 75% 90% Network Server 25% 2/3 of All Web Applications Are Vulnerable Sources: Gartner, Watchfire
11
Problem Illustrated Application Layer Network Layer
Attacker sends attacks inside valid HTTP requests Your custom code is tricked into doing something it should not Security requires software development expertise, not signatures Network Layer Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests. Security relies on signature databases Application Layer Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Databases Legacy Systems Web Services Directories Human Resrcs Billing I wanted to illustrate here visually how the attack is happening. Attackers send an attack inside valid Http Request. Application code is tricked in doing something it was not supposed to do. Full application security requires specific software development expertise. Network layer security alone cannot stop attacks inside Http Request. APPLICATION ATTACK Custom Code App Server Web Server Hardened OS Network Layer Firewall Firewall Insider
12
Demo Attack Phases of hacker attacks
I wanted to illustrate one of many possible way of a hackers attack. The first step is the hacker tries to gather information. Then he uses that information to attack on the infrastructure and do the exploit.
13
Phase 1 Information search Fingerprinting
Hacker tries to gather information about the operating system, web server and database. Compares information with vulnerability database 1. Hacker searches information about victim’s target system Operating System Web Server Database 2. Compares information with vulnerability database
14
Phase 1 - Information Search
SQL Injection Hacker tries to gather information about the operating system, web server and database. Compares information with vulnerability database 1. Hacker found vulnerability Search for (specific) user Find additional information about user 2. Needs information for next phase of attack
15
Phase 2 - Infrastructure
Cross Site Scripting (XSS) Then uses the vulnerability to get personal information like and phone number. Sends an to the victim, which has malicious script. 1. Hacker found personal information about user Phone number … 2. Sends with unsuspicious topic 3. Includes XSS in that sends user session to the hackers server
16
Phase 2 - Infrastructure
Cross Site Scripting (XSS) This is the time when you will receive an saying something like “Please login to your online baking to update your account information”. You think this is a valid . You click that link. XSS or the malicious code included in that link takes your session cookie and sends it to the hacker. 1. User receives 2. is unsuspicious to user Topic Originator 3. Included XSS sends all cookies to hacker’s web site
17
Phase 3 - Exploit Session hijacking
Hacker receives all the cookies. Cookies are used to identify users. He uses that to resume your session. Now hacker has logged in to your banking site with your access right. 1. Hacker received all cookies from user 2. Cookies are used to identify users 3. Hacker uses cookie to resume user session 4. Hacker is logged in as user “victim” with user’s access rights
18
That was just the beginning
That was just the beginning. You can easily imagine what is going to happen next
19
Demo Cross-site scripting
Xss-Proxy XSS-Proxy is a tool for leveraging Cross-Site-Scripting (XSS) flaws to hijack victim browsers and allows a bi-directional interactive control channel between attacker, victim browser and an XSS vulnerable site. Web Goat XSS
20
Leverage OWASP for Web Application Security Training
At this point I wanted to Introduce OWASP. It is an international non-profit organization primarily staffed by volunteers and funded by participating companies. The mission of this organization is to make Web application security visible. You can find additional information about OWASP at www. OWASP.org The Open Web Application Security Project (OWASP Foundation Inc.) Participation in OWASP is free and open to all The vision is a software market that produces code that’s secure. The mission is to make security visible so that software buyers and sellers are on equal footing and market forces can work. International not-for-profit charitable organization funded primarily by volunteers time and OWASP Memberships
21
What are the Top 10 Vulnerabilities?
The question is what are top 10 web application vulnerabilities? After doing extensive research and analysis OWASP came up with Top 10 vulnerabilities that plagues a typical web application. OWASP Top 10
22
Common Security Issues: The OWASP Top 10 2010
The OWASP top 10 is aimed to educate developers, architects and security practitioners about the most common web application vulnerabilities. The Ten Most Critical Aimed to educate developers, architects and security practitioners about the consequences of the most common web application security vulnerabilities Living document: 2007 T10 different from 2004 T10 OWASP Top released
23
Users and Adopters Payment Card Industry (PCI) PCI DSS - Requirements is OWASP Top 10 PA-DSS - Requirements – is OWASP Top Security code review for all the custom code. OWASP Supporters The OWASP Top 10 has been adopted by organizations across the world. PCI DSS requirements is OWASP Top 10 and PA-DSS requirements – is OWASP Top 10
24
Common Security Issues: The OWASP Top 10 2007
A1: Cross Site Scripting (XSS) A2: Injection Flaws A3: Malicious File Execution A4: Insecure Direct Object Reference A5: Cross Site Request Forgery (CSRF) A6: Information Leakage and Improper Error Handling A7: Broken Authentication and Session Management A8: Insecure Cryptographic Storage A9: Insecure Communications A10: Failure to Restrict URL Access These are the ten most common security issues in a web application
25
Common Security Issues: The OWASP Top 10 2010
These are the ten most common security issues in a web application
26
Security Threats and OWASP T10 Vulnerabilities
Other threats like, System compromise, financial loss and reputation loss is also OWASP Top 10 Phishing Exploit weak authentication, authorization, session management and input validation (XSS, XFS) vulnerabilities Privacy violations Exploit poor input validation, business rule and weak authorization, injection flaws, information leakage vulnerabilities Identity theft Exploit poor or non-existent cryptographic controls, malicious file execution, authentication, business rule and auth checks vulnerabilities
27
Security Threats and OWASP T10 Vulnerabilities (cont)
Other threats like, System compromise, financial loss and reputation loss is also OWASP Top 10 System compromise, data alteration or data destruction Exploit injection flaws, remote file inclusion-upload vulnerabilities Financial loss Exploit unauthorized transactions and CSRF attacks, broken authentication and session management, insecure object reference, weak authorization-forceful browsing vulnerabilities Reputation loss Depend on any evidence (not necessarily exploitation) of a web application vulnerability
28
OWASP Top Ten 2007 and ESAPI (Enterprise Security API)
If there is a problem there is solution. OWASP has also provided the solution. ESAPI is Enterprise security api’s for remediation of all these 10 vulnerabilities. It has generic api's for each of these vulnerability. This is a great source where application developers can see how specific issues can be Remediate.
29
OWASP Documentation on Web Application Security
Application Security Desk Reference (ASDR) Basic reference material on application security terminology Developer Guide Comprehensive guide for Web applications and Web services security Code Review Guide Comprehensive secure code review guide on the web Testing Guide Web Application penetration testing ASVS Application Security Verification Standard OWASP provides some great documentation and guidelines on application security. Application Security Desk Reference is a basic reference material on application security terminology, developer guide is a great resource which teaches developers web application and web services security, Code review guide teaches how to do code review for security, Testing guide teaches how to do testing for security and ASVS provides standards for doing application security verification ASVS Testing Guide Developer Guide Code Review Guide Application Security Desk Reference (ASDR)
30
OWASP Tools and Technology
Automated Security Verification Vulnerability Scanners Static Analysis Tools Fuzzing Manual Security Verification Penetration Testing Tools Code Review Tools Security Architecture ESAPI Secure Coding AppSec Libraries ESAPI Reference Implementation Guards and Filters AppSec Management Reporting Tools AppSec Education Flawed Apps Learning Environments Live CD SiteGenerator OWASP also provides some great tools and technologies for security verification, manual penetration testing, security architecture, secure coding and education
31
Live CD Project that collects some of the best open source security projects in a single environment Users can boot from Live CD and immediately start using all tools without any configuration Live CD collects best known open source security projects in a single environment
32
Netcats – original + GNU Firece Domain Scanner v1.0.3
OWASP Tools OWASP WebScarab v OWASP WebGoat v5.2 OWASP CAL9000 v2.0 OWASP JBroFuzz v1.2 OWASP DirBuster v0.12 OWASP SQLiX v1.0 OWASP WSFuzzer v1.9.4 OWASP Wapiti v2.0.0-beta Paros Proxy v3.2.13 nmap & Zenmap v 4.76 Wireshark v1.0.5 tcpdump v4.0.0 Firefox addons Burp Suite v1.2 Grendel Scan v1.0 Metasploit v3.2 (svn) w3af + GUI svn r2161 Netcats – original + GNU Nikto v2.03 Firece Domain Scanner v1.0.3 Maltego CE v2-210 Httprint v301 SQLBrute v1.0 Spike Proxy v Rat Proxy v1.53-beta These are the list of tools that comes in Live CD
33
Web Goat A classic vulnerable application to teach developers security code flaws Web Goat is a classic vulnerable application that teach developers about security code flaw
34
WebScarab – A Proxy Engine
A Proxy tool to intercept Http Request and Http Response Web Goat is a classic vulnerable application that teach developers about security code flaw
35
Software Assurance Maturity Model (SAMM)
The four Disciplines are high-level categories for activities Three security Functions under each Discipline are the specific silos for improvement within an organization As an organization how can we improve? How can we build security in software development? The Software Assurance Maturity Model (SAMM) is the answer. SAMM is an open framework from OWASP to help organizations implement a strategy for software security. From each of the Business Functions, 3 Security Practices are defined The Security Practices cover all areas relevant to software security assurance Each one is a ‘silo’ for improvement It will help in: Evaluating existing software security practices Building a balanced software security assurance program in well-defined iterations Demonstrate concrete improvements to a security assurance program Define and measure security-related activities At the highest level, SAMM defines four critical Business Functions: · Governance · Construction · Verification and · Deployment Each Business Function is the nuts-and-bolts of software development. For each Business Function, SAMM defines three Security Practices. So overall, there are twelve Security Practices that will help us build secure applications. Alignment & Governance Governance is centered on the processes and activities on how an organization manages overall software development activities. This includes cross cutting concerns on development and processes on organization level. Education & Guidance Involves increasing security knowledge amongst personnel in software development through training and guidance on security topics relevant to individual job functions. Standards and Compliance Involves setting up a security and compliance control and audit framework throughout an organization to achieve increased assurance in software under construction and in operation. Strategic Planning: Involves the overall strategic direction of the software assurance program and instrumentation of processes and activities to collect metrics about an organization’s security posture. Requirements & Design In general, this will include product management, requirements gathering, high-level architecture specification, detailed design, and implementation. Threat Modeling: involves accurately identifying and characterizing potential attacks on a software in order to better understand the risks and facilitate risk management. Security Requirements: Security Requirements involves promoting the inclusion of security-related requirements during the software development process in order to specify correct functionality from inception. Defensive Design: Secure Architecture involves bolstering the design process with activities to promote secure-by-default designs and control over technologies and frameworks upon which software is built. Verification & Assessment It is focused on the processes and activities how we check and test artifacts produced throughout software development. This typically includes quality assurance work such as testing, but it can also include other review and evaluation activities. Architecture Review: Design Review involves inspection of the artifacts created from the design process to ensure provision of adequate security mechanisms Code Review: involves assessment of source code to aid vulnerability discovery and related mitigation activities as well as establish a baseline for secure coding expectations. Security Testing: involves testing software in its runtime environment in order to both discover vulnerabilities and establish a minimum standard for software releases. Deployment & Operations Involves release management. This can involve shipping products to end users, deploying products to internal or external hosts, and normal operations of software in the runtime environment. Vulnerability Management: involves establishing consistent processes for managing internal and external vulnerability reports to limit exposure and gather data to enhance the security assurance program. Environment Hardening involves implementing controls for the operating environment like web server and application server hardening. Operational Enablement involves identifying and capturing security-relevant information needed by an operator to properly configure, deploy, and run a software. Alignment & Governance Requirements & Design Verification & Assessment Deployment & Operations Disciplines Functions
36
Software Assurance Maturity Model (SAMM)
Check out this one... Lets take the example of Education & guidance. We can have 3 levels of objectives and activities
37
SAMM Conducting assessments
SAMM includes assessment worksheets for each Security Practice SAMM includes assessment worksheets for each Security Practice based on the levels.
38
SAMM Creating Scorecards
We can gap analysis and create on going metrics. This a sample chart which shows metrics for before and after for each business functions. Gap analysis Capturing scores from detailed assessments versus expected performance levels Demonstrating improvement Capturing scores from before and after an iteration of assurance program build-out Ongoing measurement Capturing scores over consistent time frames for an assurance program that is already in place
39
Process perspective: Build Security in the SDLC
The question is how can we build security in our SDLC process? How can we map SAMM to an organization SDLC process? Here is a proposed design of how we can have a secure SDLC in an organization. At preliminary requirement phase we also have a high level Risk assessment. In project requirements phase we clearly define security requirements. In design phase we add Threat modeling, Security architecture review and high level security test planning. In development phase we add peer code review, static and dynamic code review and security unit tests. We also need to make sure people who are doing code review are also trained to do code review. In QA testing phase we add security tests, functional tests, risk driven tests, system tests, white box tests and black box tests. Black-box test design treats the system as a "black-box", so it doesn't explicitly use knowledge of the internal structure. Black-box test design is usually described as focusing on testing functional requirements. White-box test design allows one to peek inside the "box", and it focuses specifically on using internal knowledge of the software to guide the selection of test data. In security configuration and deployment phase we have secure configuration and secure deployment. In Secure operations phase we have incident management and patch management. Last but not the least we have on going training, awareness, metrics and measurements.
41
Threat Modeling-An approach for analyzing the security
Data movement across a trust boundary (such as from the Internet to the web tier, or from the business logic to the database server), needs to be carefully analyzed, whereas data that flows within the same trust level does not need as much scrutiny.
42
Threat Categorization - Stride
Threats can be systematically identified in the application in a structured and repeatable manner Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege
43
Threat Categorization (cont)
Types Examples Security Control Spoofing Illegally access and use another user's credentials Authentication Tampering Maliciously change/modify persistent data, such as data in a database Integrity Repudiation Perform illegal operations that lacks the ability to trace Non-Repudiation Information disclosure Read a file that one was not granted access to, or read data in transit Confidentiality Denial of service Deny access to valid users, such as making a web server temporarily unavailable or unusable Availability Elevation of privilege Gain unauthorized access or compromise a system Authorization
45
Training topics Security Scanning of Web Applications OWASP Top 10
Threat Modeling Source code Review for Security Code Scanning for Security PCI DSS and PA-DSS certification Security issues in various UI frameworks Web Server and Application server hardening Click Jacking Phishing Attack OWASP Live CD Tools project Identify and test security issues for QA Web Services Security Security for Internationalized software Security awareness and training is the key to building secure applications. 1.1 OWASP Top 10 This will include identifying critical issues and remediation. A discussion on Enterprise security API’s by OWASP Cross Site Scripting Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) Information Leakage and Improper Error Handling Broken Authentication and Session Management Insecure Cryptographic Storage Insecure Communications Failure to Restrict URL Access 1.2 Vulnerability Scanning Open Source Tools W3AF by OWASP Paros Proxy by OWASP Commercial Tools Web Inspect by HP IBM Rational App Scan Threat Modeling Threat modeling is essentially a structured representation of all the information that affects the security of an application. In essence, it is a view of the application and its environment through security glasses. Threat modeling enables informed decision-making about application security risk. In addition to producing a model, typical threat modeling efforts also produce a prioritized list of security improvements to the concept, requirements, design, or implementation. Threat Modeling is a technique that we can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect web applications. Threat Modeling helps in designing application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of SDLC and helps mitigate and minimize overall risk. Discuss Microsoft SDL (Security Development Lifecycle) Threat Modeling tool. Following is an outline of a generic methodology for Threat Modeling: o Assessment Scope o System Modeling o Identify Threats o Identify Vulnerabilities o Examining the Threat History o Evaluation or Impact on the Business o Developing a Security Threat Response Plan Source code Review for Security Code review is probably the single-most effective technique for identifying security flaws. Security code review is the process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places. Security code review is a method of assuring application developers are following secure development techniques. Tools can be used to perform this task but they always need human verification. Tools do not understand context, which is the keystone of security code review. Tools are good at assessing large amounts of code and pointing out possible issues but a person needs to verify every single result to determine if it is a real issue, if it is actually exploitable, and calculate the risk to the enterprise. Human reviewers are also necessary to fill in for the significant blind spots where automated tools simply cannot check. Code Scanning for Security A discussion on source code scanning which does static analysis of the code and find vulnerabilities. Explore commercial and open source code scanning tool. PCI DSS and PA - DSS certification A continued discussion on PCI and PA-DSS requirements for successful auditing. Identification and remediation of security issues in Adobe Flex applications A discussion on Security scanning for Flex application. Explore open source and commercial tools for security scanning for Flex application. Go over security issues in Flex application and remediation. Web Server and Application server hardening Web server and application server configurations play a key role in the security of a web application. These servers are responsible for serving content and invoking applications that generate content. In addition, many application servers provide a number of services that web applications can use, including data storage, directory services, mail, messaging, and more. Failure to manage the proper configuration of servers can lead to a wide variety of security problems. o Unpatched security flaws in the server software o Server software flaws or misconfigurations that permit directory listing and directory traversal attacks o Unnecessary default, backup, or sample files, including scripts, applications, configuration files, and web pages o Improper file and directory permissions o Unnecessary services enabled, including content management and remote administration o Default accounts with their default passwords o Administrative or debugging functions that are enabled or accessible o Overly informative error messages o Misconfigured SSL certificates and encryption settings o Use of self-signed certificates to achieve authentication and man-in-the-middle protection o Use of default certificates o Improper authentication with external systems Click Jacking Clickjacking, also known as a UI Redress Attack, is when an attacker uses multiple (often transparent) layers so when a user clicks on an area of the web page they are inadvertently clicking on a button or link on another page. Using the same technique, keystrokes can also be hijacked, so a user believes they are typing in their password to their or their bank account, but in reality they are typing into an invisible frame, possibly controlled by the attacker. Phishing Attack Phishing attacks are one of the highest visibility problems for banking and e-commerce sites, with the potential to destroy a customer’s livelihood and credit rating. Phishing is misrepresentation where the criminal uses social engineering to appear as a trusted identity. They leverage the trust to gain valuable information; usually details of accounts, or enough information to open accounts, obtain loans, or buy goods through e-commerce sites. Up to 5% of users seem to be lured into these attacks, so it can be quite profitable for scammers – many of whom send millions of scam s a day. Identify and test security issues for QA (Targeted to QA group) A discussion on how to test Web applications Security by the QA group. A demo of different tools to facilitate testing and identifying security issues. OWASP Live CD Tools project A discussion on OWASP Live CD security tools project. How to use these tools to identify security issues Web Services Security This will include a discussion on Web Services vulnerabilities, WS Security and security scanning for Web Services. Security for Internationalized software This will include discussion targeting special security issues in internationalized applications and the additional threat that this might expose us, as an example allowing Spanish or Chinese characters into the system and the challenge this might pose to the system.
46
??? Since no customer is complaining, why an organization needs to fix security vulnerabilities in their applications? Compliance In case of security breech Fines Reputation Loss - Priceless
47
??? What do we do if application is already in production and it has missed that phase of security? What do we do if our application is already in production and it has missed that phase of security? It's never too late and never too early. It is a continuous process... Penetration testing and security code review is the key. We must fix security leaks and vulnerabilities. It's never too late and never too early. It is a continuous process... Penetration testing and security code review is the key. We must fix security leaks and vulnerabilities.
48
??? Security Code Review Value of mentoring is enormous
What will help? Leverage OWASP Security Code Review Value of mentoring is enormous Application scanning and code scanning using static analysis tools Web application security part of the SDLC process Secure code development training Train QA to find security issues in the application What can we do in our organization that will help? Leverage OWASP Security Code Review is very important Value of mentoring is enormous Application scanning and code scanning using static analysis tools will find lots of issues Web application security part of the SDLC process Secure code development training is important Train QA to find security issues in the application
49
Make Security part of the SDLC process
If you cannot remember anything we discussed so far just remember one thing: “Make security part of the SDLC process” As an organization we will significantly reduce risk of our applications being attacked and compromised by attackers! Be Safe!
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.