Presentation is loading. Please wait.

Presentation is loading. Please wait.

March 4, 2008 ISACA Web Application Security James Walden Northern Kentucky University

Published byDwight Cummings Modified over 8 years ago

Similar presentations

Presentation on theme: "March 4, 2008 ISACA Web Application Security James Walden Northern Kentucky University"— Presentation transcript:

1 March 4, 2008 ISACA Web Application Security James Walden Northern Kentucky University waldenj@nku.edu

2 March 4, 2008ISACA Is your web site secure?

3 March 4, 2008ISACA Is your web site secure? Yes, we deployed SSL, firewall, etc. Does SSL protect all communications? What about stored data? What about injection attacks and XSS?

4 March 4, 2008ISACA Firewalls don’t protect web apps Firewall Port 80 HTTP Traffic Web Client Web Server Application Database Server telnet ftp

5 March 4, 2008ISACA Is your web site secure? Yes, we’re certified as being secure. PCI scans quarterly; apps change weekly. Geeks.com, certified HackerSafe by McAfee, lost thousands of CCs in 2007.

6 March 4, 2008ISACA Is your web site secure? Yes, we have logs of blocked attacks. Better, you have some real evidence. Did you log non-blocked requests too?

7 March 4, 2008ISACA Is your web site secure? Yes, we have a SDLC and record network, host, and application-based logs. Secure Development LifeCycle Risk analysis Secure design Code reviews Security testing Correlate logs for multi-perspective picture.

8 March 4, 2008ISACA Topics 1. The Problem of Software Security 2. Web Application Vulnerabilities 3. SQL Injection 4. Software Security Practices

9 March 4, 2008ISACA Reasons for Attacking Web Apps

10 March 4, 2008ISACA A Growing Problem

11 March 4, 2008ISACA Web Application Exploits 2007

12 March 4, 2008ISACA The source of the problem “Malicious hackers don’t create security holes; they simply exploit them. Security holes and vulnerabilities – the real root cause of the problem – are the result of bad software design and implementation.” John Viega & Gary McGraw

13 March 4, 2008ISACA Web Application Vulnerabilities

14 March 4, 2008ISACA Injection Injection attacks trick an application into including unintended commands in the data send to an interpreter. Interpreters Interpret strings as commands. Ex: SQL, shell (cmd.exe, bash), LDAP, XPath Key Idea Input data from the application is executed as code by the interpreter.

15 March 4, 2008ISACA SQL Injection 1. App sends form to user. 2. Attacker submits form with SQL exploit data. 3. Application builds string with exploit data. 4. Application sends SQL query to DB. 5. DB executes query, including exploit, sends data back to application. 6. Application returns data to user. Attacker Web Server DB Server Firewall User Pass ‘ or 1=1--

16 March 4, 2008ISACA SQL Injection in PHP $link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: ". mysql_error()); mysql_select_db($DB_DATABASE); $query = "select count(*) from users where username = '$username' and password = '$password'"; $result = mysql_query($query);

17 March 4, 2008ISACA SQL Injection Attack #1 Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.

18 March 4, 2008ISACA SQL Injection Attack #2 Database Modification Attack: password = foo’; delete from table users where username like ‘% DB executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from table users where username like ‘%’

19 March 4, 2008ISACA SQL Injection Demo

20 March 4, 2008ISACA Impact of SQL Injection SELECT SSN FROM USERS WHERE UID=‘$UID’ INPUTRESULT 5Returns info for user with UID 5. ‘ OR 1=1--Returns info for all users. ‘ UNION SELECT Field FROM Table WHERE 1=1-- Returns all rows from another table. ‘;DROP TABLE USERS-- Deletes the users table. ‘;master.dbo.xp_c mdshell ‘cmd.exe format c: /q /yes’ -- Formats C: drive of database server if you’re running MS SQL Server and extended procedures aren’t disabled.

21 March 4, 2008ISACA Impact of SQL Injection 1. Leakage of sensitive information. 2. Reputation decline. 3. Modification of sensitive information. 4. Loss of control of db server. 5. Data loss. 6. Denial of service.

22 March 4, 2008ISACA The Problem: String Building Building a SQL command string with user input in any language is dangerous. Variable interpolation. String concatenation with variables. String format functions like sprintf(). String templating with variable replacement.

23 March 4, 2008ISACA Mitigating SQL Injection Partially Effective Mitigations Blacklists Stored Procedures Effective Mitigations Whitelists Prepared Queries

24 March 4, 2008ISACA Software Security Practices 1. Code Reviews 2. Risk Analysis 3. Penetration Testing Security Operations RequirementsDesignCodingTestingMaintenance Risk Analysis Abuse Cases Code Reviews + Static Analysis Penetration Testing Security Testing 4. Security Testing 5. Abuse Cases 6. Security Operations

25 March 4, 2008ISACA Code Reviews Security Operations RequirementsDesignCodingTestingMaintenance Risk Analysis Abuse Cases Code Reviews + Static Analysis Penetration Testing Security Testing Planning Author Moderator Prep Everyone Meeting Everyone Rework Author Follow-up Author Moderator Fix implementation bugs, not design flaws.

26 March 4, 2008ISACA Benefits of Code Reviews 1. Find defects sooner in development lifecycle. (IBM finds 82% of defects before testing.) 2. Find defects with less effort than testing. (IBM—review: 3.5 hrs/bug, testing: 15-25 hrs/bug.) 3. Find different defects than testing. (Can identify some design problems too.) 4. Educate developers about security bugs. (Developers frequently make the same mistakes.)

27 March 4, 2008ISACA Static Analysis Automated assistance for code reviews Speed: review code faster than humans can Accuracy: hundreds of secure coding rules Results

28 March 4, 2008ISACA Architectural Risk Analysis Fix design flaws, not implementation bugs. 1. Develop an architecture model. 2. Model threats and attack scenarios. 3. Rank risks based on probability and impact. 4. Develop mitigation strategy. Security Operations RequirementsDesignCodingTestingMaintenance Risk Analysis Abuse Cases Code Reviews + Static Analysis Penetration Testing Security Testing

29 March 4, 2008ISACA Threat Modeling 1. Identify System Assets. System resources that an adversary might attempt to access, modify, or steal. Ex: credit cards, network bandwidth, user access. 2. Identify Entry Points. Data or control transfers between systems. Ex: network sockets, RPCs, web forms, files 3. Determine Trust Levels. Privileges external entities have to legitimately use system resources.

30 March 4, 2008ISACA Penetration Testing Test software in deployed environment by attacking it. Allocate time at end of development to test. Time-boxed: test for n days. May be done by an external consultant. Security Operations RequirementsDesignCodingTestingMaintenance Risk Analysis Abuse Cases Code Reviews + Static Analysis Penetration Testing Security Testing

31 March 4, 2008ISACA Security Testing Different from penetration testing White box (source code is available.) Use risk analysis to build tests. Measure security against risk model. Security Operations RequirementsDesignCodingTestingMaintenance Risk Analysis Abuse Cases Code Reviews + Static Analysis Penetration Testing Security Testing

32 March 4, 2008ISACA Security Testing Intendended Functionality Actual Functionality Functional testing will find missing functionality. Injection flaws, buffer overflows, XSS, etc.

33 March 4, 2008ISACA Abuse Cases Anti-requirements Think explicitly about what program shouldn’t do. A use case from an adversary’s point of view. Security Operations RequirementsDesignCodingTestingMaintenance Risk Analysis Abuse Cases Code Reviews + Static Analysis Penetration Testing Security Testing

34 March 4, 2008ISACA Security Operations Deploying security Secure default configuration. Web application firewall for defense in depth. Incident response What happens when a vulnerability is reported? How do you communicate with users? Security Operations RequirementsDesignCodingTestingMaintenance Risk Analysis Abuse Cases Code Reviews + Static Analysis Penetration Testing Security Testing

35 March 4, 2008ISACA Conclusions Web applications are a primary target. Sensitive information Defacement Malware distribution Software Security ≠ Security Features SSL will not make your site secure. Firewalls will not make your site secure. Improving software development Code reviews. Risk analysis. Security testing.

36 March 4, 2008ISACA References 1. Mark Dowd, John McDonald, Justin Schuh, The Art of Software Security Assessment, Addison-Wesley, 2007. 2. Mitre, Common Weaknesses – Vulnerability Trends, http://cwe.mitre.org/documents/vuln-trends.html, 2007. http://cwe.mitre.org/documents/vuln-trends.html 3. Gary McGraw, Software Security, Addison-Wesley, 2006. 4. J.D. Meier, et. al., Improving Web Application Security: Threats and Countermeasures, Microsoft, http://msdn2.microsoft.com/en- us/library/aa302418.aspx, 2006. 5. OWASP Top 10, http://www.owasp.org/index.php/OWASP_Top_Ten_Project, 2007. http://www.owasp.org/index.php/OWASP_Top_Ten_Project 6. Ivan Ristic, Web Application Firewalls: When Are They Useful?, OWASP AppSec EU 2006. 7. Joel Scambray, Mike Shema, and Caleb Sima, Hacking Exposed: Web Applications, 2 nd edition, Addison-Wesley, 2006. 8. Dafydd Stuttard and Marcus Pinto, Web Application Hacker’s Handbook, Wiley, 2007. 9. WASC, “Web Application Incidents Annual Report 2007,” https://bsn.breach.com/downloads/whid/The%20Web%20Hacking%20Incid ents%20Database%20Annual%20Report%202007.pdf, 2008. https://bsn.breach.com/downloads/whid/The%20Web%20Hacking%20Incid ents%20Database%20Annual%20Report%202007.pdf

Download ppt "March 4, 2008 ISACA Web Application Security James Walden Northern Kentucky University"

Similar presentations

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
OWASP WEBGOAT Alaa Darabseh Department of Computer Science

OWASP WEBGOAT Alaa Darabseh Department of Computer Science
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.

James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
SQL Injection CPSC 4670.

SQL Injection CPSC 4670.
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
HTTP and Server Security James Walden Northern Kentucky University.

HTTP and Server Security James Walden Northern Kentucky University.
Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Penetration Testing James Walden Northern Kentucky University.

Penetration Testing James Walden Northern Kentucky University.
A Security Review Process for Existing Software Applications

A Security Review Process for Existing Software Applications
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Similar presentations

Ads by Google