Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dan Fleck CS 469: Security Engineering

Similar presentations


Presentation on theme: "Dan Fleck CS 469: Security Engineering"— Presentation transcript:

1 Dan Fleck CS 469: Security Engineering
Secure Engineering Dan Fleck CS 469: Security Engineering 1 Sources: https://www.owasp.org/index.php/OWASP_Guide_Project Coming up: Secure Web Applications

2 Secure Web Applications
OWASP Guide to Secure web applications Security Standards (COBIT or ISO17799) If you’re publicly traded in most countries, you must have an information security policy If you’re publicly traded in the US, you must have an information security policy which is compliant with SOX requirements, which generally means COBIT controls If you’re privately held, but have more than a few employees or coders, you probably need one Popular FOSS projects, which are not typical organizations, should also have an information security policy 2 Coming up: Development Methodology

3 Development Methodology
Attributes to look for in a development methodology: Strong acceptance of design, testing and documentation Places where security controls (such as threat risk analysis, peer reviews, code reviews, etc) can be slotted in Works for the organization’s size and maturity Has the potential to reduce the current error rate and improve developer productivity 3 The choice of development methodology is not as important as simply having one. Coming up: Attackers

4 Attackers From most likely and damaging to least…
Disgruntled staff or developers “Drive by” attacks, such as side effects or direct consequences of a virus, worm or Trojan attack Motivated criminal attackers, such as organized crime Criminal attackers without motive against your organization, such as defacers Script kiddies 4 Coming up: Security Principles

5 Security Principles Minimize Attack Surface Secure defaults
Principle of least privilege Principle of defense in depth Fail securely External Systems are insecure Separation of duties Do not trust security through obscurity Simplicity Fix security issues correctly 5 Coming up: Minimize Attack Surface

6 Minimize Attack Surface
Every feature in your system adds to the attack surface Reduce risk by reducing attack surface Example: Web application has inline help with a search function May be vulnerable to SQL injection Reduce: limit feature to authorized users Reduce: use validation routines on input SQL Eliminate: Re-write UI to eliminate need for search function! How to estimate the attack surface: https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet 6 Coming up: Secure Defaults

7 Secure Defaults Make the “out of the box” user experience good, but secure! Example: default password aging ON default password complexity ON Does your browser do this? Does Facebook? Why or why not? Does Ubuntu? https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks 7 Coming up: Principle of Least Privilege

8 Principle of Least Privilege
Users (accounts) should have the least amount of privileges needed to do their job Including: CPU limits, memory limits, network and file system permissions Example: If a middleware server only requires network access, ability to read the DB and ability to write to log files, that is ALL it should be able to do! 8 Coming up: Principle of Defense in Depth

9 Principle of Defense in Depth
Controlling defense by using multiple, different, independent approaches is always preferable Layers of defenses good when possible Example: Flawed user admin interface harder to exploit if it correctly gates access to production management networks (isolation), checks for user authorization, and logs all access Example: How do you protect your computer? Anti-virus, usernames/passwords, IDS, firewall, encryption of important files, biometrics(?) 9 Coming up: Fail securely

10 Fail securely Secure or not secure?
When failing, fail into a secure state isAdmin = true; try { codeWhichMayFail(); isAdmin = isUserInRole( “Administrator” ); } catch (Exception ex) { log.write(ex.toString()); } Secure or not secure? 10 Coming up: External systems are insecure

11 External systems are insecure
If your system uses a third party system, assume it’s not as secure as you. They have different constraints, different motivations, etc… Check all data they send. Assume it’s not trusted. 11 Coming up: Separation of duties

12 Separation of duties Make sure multiple users are needed to perform secure tasks. Typically, administrators have special privileges, so they should NOT be users also. Example: An admin can turn the system on/off and change the password policies. Thus, they should not have access to login to the system as a privileged user to buy items on behalf of users. 12 Coming up: Do not trust security through obscurity

13 Do not trust security through obscurity
Security should be reliant on keeping secrets Obscurity is a weak control and almost always fails when it’s the only one in place. You can use it, but NOT as the only idea. Example: security of an application should NOT be reliant on keeping the source secret. Does this happen? What’s more secure, Windows or Linux?  Why do you think? What about Android vs iOS? 13 Coming up: Simplicity

14 Simplicity Generally, simplicity helps reduce attack surface
Complex approaches frequently cause holes and frequently are only in place to handle “future” expansion that may never happen. Code is done when it works… stop coding! (This is also a software engineering principle) 14 Coming up: Fix security issues correctly

15 Fix security issues correctly
When security issues are found, check all places they may be. Specifically, if found in common code or design patterns being used the same code problem may be in multiple places Example: A user finds by manipulating cookies they can view another user’s balance. Fixing the problem is simple, but the same cookie handling code may be in multiple other places within the application 15 Coming up: Threat Risk Modeling and Objectives

16 Threat Risk Modeling and Objectives
Identity: does this application protect user’s identity from misuse? Reputation: the loss of reputation derived from the application being misused or successfully attacked Financial: the level of risk the organization is prepared to stake in remediation potential financial loss. Privacy and regulatory: to what extent shall applications protect user’s data. Forum software is by its nature public, but a tax program is inherently bound up in tax regulation and privacy legislation in most countries Availability guarantees: is this software required to be available by SLA or similar agreement? Is it nationally protected infrastructure? To what level will the application need to be available? 16 Coming up: Document Threats

17 Document Threats Sample threat graph 17
Coming up: Lots of “threat modeling” templates out there

18 Lots of “threat modeling” templates out there
STRIDE: Spoofing identity Tampering with data Repudiation Information disclosure Denial of service Elevation of privileges There are others though (CVSS, OCTAVE, AS/NZS…) 18 Coming up: Phishing

19 Phishing 19 5% of users are lured into these attacks! [2005]
Delivery via web site, or instant message, the attack asks users to click on a link to “re-validate” or “re-activate” their account. The link displays a believable facsimile of your site and brand to con users into submitting private details Sends a threatening to users telling them that the user has attacked the sender. There’s a link in the which asks users to provide personal details Installs spyware that watches for certain bank URLs to be typed, and when typed, up pops a believable form that asks the users for their private details Installs spyware that watches for POST data, such as usernames and passwords, which is then sent onto a third party system Installs spyware that dredges the host PC for information from caches and cookies “Urgent” messages that the user’s account has been compromised, and they need to take some sort of action to “clear it up” Messages from the “Security” section asking the victim to check their account as someone illegally accessed it on this date. Just click this trusty link... 19 Coming up: Countering Phishing

20 Countering Phishing Some technical approaches
sanitizing attachments anti-adware, malware Best approach: user education 20 Coming up: Countering Phishing when using

21 Countering Phishing when using email
Tell users every single time you communicate with them, that: they must type your URL into their browser to access your site you don’t provide links for them to click you will never ask them for their secrets and if they receive any such messages, they should immediately report any such to you, and you will forward that on to their local law enforcement agencies Consistent branding – don’t send that references another company or domain. Reduce Risk - don’t send at all. Reduce Risk - don’t send HTML . 21 Coming up: Countering Phishing when using (cont)

22 Countering Phishing when using email (cont)
Reduce Risk - be careful of using “short” obfuscated URLs (like Increase trust - Many large organizations outsource customer communications to third parties. Work with these organizations to make all communications appear to come from your organization (i.e., crm.example.com where example.com is your domain, rather than smtp34.massmailer.com or even worse, just an IP address). Increase trust - set up a Sender Policy Framework (SPF) record in your DNS to validate your SMTP servers. Phishing s not sent from servers listed in your SPF records will be rejected by SPF aware MTAs. 22 Coming up: Countering Phishing when using (cont)

23 Countering Phishing when using email (cont)
Increase trust – sign Incident Response - Don’t send users notification that their account has been locked or fraud has occurred – if that has happened, just lock their accounts and provide a telephone number or address for them to contact you (or even better, ring the user) 23 Coming up: Customer Relations

24 Website Guidelines Never ask customers for their secrets
Fix XSS issues Don’t use pop-ups. They confuse people and make it easier for attackers Don’t use frames – attackers can re-use them Enforce local referrers for images and other resource – this forces attackers to copy them, and possibly mess them up or forget to update when you change them Investigate any connections that just pull images 24 Coming up: Website Design

25 Website Guidelines (cont)
Don’t be the source of identity theft – If you maintain information about the users, don’t present this data to users. Example: Internet Banking solutions may allow users to update their physical address records. There is no point in displaying the current address within the application, so the Internet Banking solution’s database doesn’t need to hold address data – only back end systems do. 25 Coming up: Safeguards

26 Safeguards to limit exposure
If an account is opened, but not used for a period of time (say a week or a month), disable it. Verify the registration info. Example: does the ZIP code mean California, but the phone number come from New York? Daily limits, particularly for unverified customers. Settlement periods for offsite transactions to allow users time to repudiate transactions. Only deliver goods to the customer’s home country and address as per their billing information Only deliver goods to verified customers (or consider a limit for such transactions). 26 Coming up: Safeguards

27 Safeguards to limit exposure (cont)
If your application allows updates to addresses or physical addresses, send a notification to both the new and old addresses when the key contact details change. Do not send existing or permanent passwords via s or physical mail. Use one time, time limited verifiers instead. Implement SMS or notification of account activities, particularly those involving transfers and change of address or phone details. Prevent too many transactions from the same user being performed in a certain period of time – this slows down automated attacks. Two factor authentication for highly sensitive or high value transactional accounts. 27 Coming up: Monitor Unusual Activity

28 Monitor Unusual Activity
Example: Clearing out their accounts What are some others for a banking application? What about a web commerce app? 28 Coming up: Other things…

29 Other things… All of us are smarter than any of us
There are more things to do… secure standards Network security Secure coding Cryptography (all the things we discussed in the semester! ) etc, etc… always learn, always research best practices https://www.owasp.org/index.php/Cheat_Sheets https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project 29 All of us are smarter than any of us (but don’t apply this during exams  ) Coming up: Other things…

30 30 End of presentation


Download ppt "Dan Fleck CS 469: Security Engineering"

Similar presentations


Ads by Google