PwC New Technologies New Risks

PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security –Internal user authentication –Access Control List on single host

PricewaterhouseCoopers Technology and Security Evolution Network Technology –Multiple Trusted hosts –Multiple Trusted users Security –Access Control Lists on multiple trusted hosts –Internal user authentication –Network segmentation

PricewaterhouseCoopers Technology and Security Evolution Internet Technology –Large number of untrusted users –Untrusted network –Complexity Network Configuration Security –Access Control Lists on multiple untrusted hosts –External user authentication –Network segmentation and filtering (Firewalls)

PricewaterhouseCoopers Technology Evolution E-commerce and Web services Critical Data Complexity –Network –Configuration –Development Business 2 Business (B2B) Business 2 Clients (B2C)

PwC E-commerce and Web services New Risks

PricewaterhouseCoopers Access to Critical data over trusted communication ports

PricewaterhouseCoopers Rapid development Complex Development Framework Competitive Market Development Cost Automation Tools

PricewaterhouseCoopers High level language for complex tasks New languages hide complexity Development Complexity is hidden Template and Wizards Distributed Programming Architecture

PricewaterhouseCoopers Scripting language Not compiled Process flow can be modified at run time Rely on compiled languages Used in untrusted environment to access critical data

PricewaterhouseCoopers Dynamic Environment High level of customization Different integration requirements Custom development

PwC How web application works?

PricewaterhouseCoopers Web Application Process

PricewaterhouseCoopers Terminology Script Argument argument1=somedata Script Argument Data argument1=somedata1

PricewaterhouseCoopers Web communication GET –Most widely used request method used. –Simplest request method. –Consist of resource and argument –Example: argument1=data POST –Used to transfer data with server. –Mostly used in conjunction with HTML form

PwC Current Attack Methods

PricewaterhouseCoopers SQL Injection SQL injection is the process of modifying the internal SQL query of the server side script to perform actions not intended by the developers. SQL injection can have serious security implications from data loss to full infiltration of your internal network. Widely used and most documented type of web application attack Can be used against most language used to develop web applications Only impact application using back end SQL server to store data

PricewaterhouseCoopers Code Injection Code injection is the process of injecting code that will be processed by the server. Code injection is extremely dangerous since the remote attacker can make the server run is code.. Code injection is not widely used and is cause by file access abstraction. Not all programming language are affected.

PricewaterhouseCoopers Application Discovery with Program Error Like normal applications, web application will display error messages when something goes wrong Error messages will often display a lot of information on the environment and the cause of the error. Often the information displayed give to much information Error messages are often used by attackers to help them gain a better understanding of the environment they are attacking and can help them construct very precise attacks.

PricewaterhouseCoopers Error Reporting Example

PwC Development Considerations to Prevent Attacks

PricewaterhouseCoopers Dealing with Hostile Environment  All incoming data should be threaded as potentially invalid  All outgoing data should be documented and all undocumented data should not be sent to the client  All error messages should be standardized

PricewaterhouseCoopers Dealing with Error Reporting  All error should be catched by the application  When an error occur, the user should be directed to a standard page indicating an that an error as occurred.  The full error message should be sent to the development team.

PricewaterhouseCoopers Programming Language - Application Programming Interface  Developers and Software engineer should review all functions used and the full impact they might have.  A detailed list of valid characters should be made and all other should be rejected.

PricewaterhouseCoopers Platform Configuration  Administrators should read the documentation of the specified platform used to run the web applications.  Administrators and developers should be aware of the types of internal and external communication it may use with other applications (single sign on, data base, LDAP,...).

PricewaterhouseCoopers Network Configuration  Only port used by your web server (often 80(HTTP) and 443(HTTP-SSL) should be allowed as incoming communication.  Outgoing communication should be restricted to limit many types of attack.  All communication between the various servers used in your environment should be documented and all other types of communication should be restricted.  For added security, all traffic between servers that should not be talking to each other should be flagged and investigated immediately.

PwC PricewaterhouseCoopers GRMS

PricewaterhouseCoopers GRMS - Information Security Solutions Web Application Assessment –Input Validation –Configuration –Assessment of platform Attack and Penetration –Network Security Assessment –Penetration Tests –Host Security Assessment Source Code review –Security Architecture review –Identification of vulnerable functions calls –Integrity