More Related Content Similar to WebApp_to_Container_Security.pdf (20) WebApp_to_Container_Security.pdf2. Application Security
Application Security: Securing software Applications
Topics
• Web application security:
• Securing web applications
• API (Application Programming Interface) Security
• Securing API communication between machines/applications
• Mobile Security:
• Securing mobile applications
• Container security:
• Securing software containers
• Open-source security:
• Securing the open-source software in use
© 2019 Claren
3. Web Application Security
OWASP Top 10 2017
• A1 - Injection
• A2 - Broken Authentication
• A3 - Sensitive Data Exposure
• A4 - XML External Entities (XXE)
• A5 - Broken Access Control
• A6 - Security Misconfiguration
• A7 - Cross Site Scripting (XSS)
• A8 - Insecure Deserialization
• A9 - Using Components with Known Vulnerabilities
• A10 - Insufficient Logging and Monitoring
© 2019 Claren
4. Web Application Security: Risk Ratings
© 2019 Claren
Risk
Exploitability:
(3:Easy,
2:Average,
1:Difficult)
Prevalence:
(3:Widespread
2:Common,
1:Uncommon)
Detectability:
(3:Easy,
2:Average,
1:Difficult)
Technical Impact:
(3:Severe,
2:Moderate,
1:Minor)
Business Impact
Injection 3 2 3 3
Data loss, corruption, data disclosure, loss of
accountability, denial of access, host takeover
Broken Authentication 3 2 3 3
Money laundering, social security fraud, and
identity theft, or disclose sensitive info
Sensitive Data Exposure 2 3 2 3 PII leak requiring legal penalty
XML External Entities
(XXE)
2 2 3 3
Extract data, execute a remote request, scan
internal systems, DOS attack, execute other
attacks
Broken Access Control 2 2 2 3 CRUD on data
Security Misconfiguration 3 3 3 2 System compromise
Cross Site Scripting
(XSS)
3 3 3 2
Stealing credentials, sessions, or delivering
malware
Insecure Deserialization 1 2 2 3 Remote code execution
Using Components with
Known Vulnerabilities
2 3 2 2 Depends
Insufficient Logging and
Monitoring
2 3 1 2
Raise the likelihood of successful exploit to nearly
100%.
5. Injection, Broken Authentication
© 2019 Claren
Injection Broken Authentication
Cause User Input not validated Inadequate or no Authentication
Method of
Exploits
• User input could be a dbase/Ldap query to reveal
the data or makes changes in database
• Brute force
• Default/weak/known/unencrypted password
• No MFA
• Exposed URL with session ID
• Static and no expiry of session ID
• Automated Credential stuffing
Mitigation • Validate user input
• Separate data from command
• Limit data exposure
• Use server-side validation
• Use ESC sequence
• Query parameterization
• Use WAF
• Check passwords for common passwords
• Check password complexity, registration
• Enforce password rotation
• Use Exponential failed login attempts
• Server-side session management
• Use MFA
6. Sensitive Data Exposure, XML External Entities (XXE)
© 2019 Claren
Sensitive Data Exposure
XML
External Entities (XXE)
Cause Insecure collecting, handling, storing, transmitting or deleting data Manipulate XML, weak XML parser
Method of
Exploits
• Look for exposed data
• File upload flaw
• Attack an application parsing XML
input and expose data
Mitigation • Classify data, apply controls, encrypt data at rest and in motion
• Use WAF, Key management
• Encrypt with strong cipher for data in motion: TLS with perfect
forward secrecy (PFS)
• Cipher prioritization, Secure parameters
• Use HTTP Strict Transport Security (HSTS) to
guard against protocol downgrade, cookie hijacking
• Disable caching for sensitive data
• Store passwords with adaptive and salted hash: Argon2, scrypt -
to guard against powerful hardware and GPU
• Use json
• Avoid serialization for translating
data structures
• Use SAST, DAST tools
• Disable external entity processing
7. Broken Access Control, Security Misconfigurations
© 2019 Claren
Broken Access Control Security Misconfigurations
Cause Unauthorized access to resources Inadequate security hardening
Method of
Exploits
• Missing policy, rules
• Bypass access control checks, Privilege
escalation
• Not using MFA
• Exploit unpatched flaws
• Old accounts, default accounts
• Leaving unused features, services or samples
• Exposing sensitive user or component details in error
messages and stack trace
Mitigation • Deny by default, use least privilege
• Use MFA, Delete unwanted accounts
• Minimize CORS (Cross-Origin Resource Sharing)
• Log and Audit server on activities
• Limit actions allowed
• Reduce access area, unwanted services,
scrutinize every access
• Rate limit access
• Invalidate JWT tokens
• Disallow access to unexposed URLs/endpoints
• Use SAST, DAST, WAF
• Patch flaws
• Disable default configuration or permission
• Unprotected directory listing allowing reverse
engineering
• Use repeatable process
• Use same config for all env, minimum platform
• Security directives – HSTS (HTTP Strict Transport
Security), HPKP (HTTP Public Key Pinning), X-frame
option Header
• Use segmentation - for components/tenants,
containers and security groups
8. Cross Site Scripting (XSS), Insecure Deserialization
© 2019 Claren
Cross Site Scripting (XSS) Insecure Deserialization
Cause Jumbled untrusted data from browser content Manipulate deserialized objects
Method
of Exploits
• Client-side code injection exploiting the browser and
user’s trust on web site
• Steal session cookie
• Write, manipulate DB
• Using serialized objects from untrusted sources
• super cookie about the logged in user
• Untrusted user input
• Manipulated super cookie containing serialized
information on user role or password hash etc.
allowing remote code execution, DOS attack etc.
Mitigation • Reflected XSS, Stored XSS or DOM XSS
• Use escaping
• Use frameworks that automatically does the escaping
• Separate untrusted user input data from active
browser content
• Ensure web app is secure
• Use WAF
• Implementing integrity checks such as digital
signatures on any serialized objects
• Strict type constraints during deserialization
• Validate user input
• Use WAF
• Run code that deserializes in low privilege
environments
• Monitor, restrict, alert, Logging deserialization
exceptions and failures
9. Using Components with Known Vulnerabilities,
Insufficient Logging and Monitoring
© 2019 Claren
Using Components with known vulnerabilities Insufficient logging and monitoring
Cause • Inadequate and inconsistent
process/enforcement.
• Well known is known to everyone.
No logs, no tracking of activities in logs, or non-
decipherable context, no action on logs collected
Method of
Exploits
• Scan for known vulnerabilities
• Exploit vulnerabilities
• Turn off logging, manipulate log levels
Mitigation • Inventory clients and servers
• Download from digitally signed official source
• Manage - Monitor, patch, config
• Automate and consistently check against CVE
(Common Vulnerability and Exploits), NVD
(National Vulnerability dbase)
• OWASP cheat sheet for logging
• Granular err msg, approp alert thresholds,
mask data in log files
• Monitor the context using SIEM tools
• Integrity control of logs
11. Mobile Security: Challenges & Best Practices
• Wi-Fi interference: Network spoofing, Man-in-the middle attack
• Enforce use of Encrypted channel or VPN
• Out-of-date devices: Scan for out-of-date devices and exploit vulnerability
• Enforce Software update
• Strong Policy
• Over the air update
• Crypto jacking attacks: Exploit Mobile phone software vulnerability for mining crypto currency
• MFA, strong password, password policy
• Update software
• Limit allowed apps
• Secure browsing, safe URL
• Poor password hygiene
• Strong Policy, password manager
© 2019 Claren
12. Mobile Security: Challenges & Best Practices
• Physical Device breaches: User behavior, a balance between flexibility and
Security
• Jail broken devices
• Old phones, un updated phones
• Data Leak
• Use Endpoint protection
• Use DLP tools
• MDM solutions
• Social Engineering: Instant and continuous exposure to device
• Phishing: Awareness, SPAM filter, patches, antivirus, web filter, encryption
© 2019 Claren
14. API Security: An overview
• Application Programming Interface (API) is an interface or contract between two entities called a consumer and
a provider
• Provides a service based on a contract (WSDL, Swagger OpenAPI3). REST API is popular
• Shares (therefore exposes) corporate resources and data
• Digital transformation is the main driver for API Economy
• Another avenue
• to stimulate innovation
• to create customer stickiness
• to build an ecosystem
• for monetization
• for an attack surface
• Private API: Used internally by organizations to integrate with different software systems
• Public API: Programming interfaces exposed to developer communities
• Partner API: Programming interfaces exposed to partners
© 2019 Claren
15. API Security: Challenges
• Application source code exposure
• Shared password between apps
• Unprotected data in backend
• Improperly secured endpoints/URLs
• Unencrypted OAuth token stored or sent in clear text
• OWASP A1, A2, A4, A5, A6, A7, A10 are applicable
• Injection
• Broken Authentication
• XXE (XML External Entities)
• Broken Access Control
• Security Misconfiguration
• XSS (Cross Site Scripting)
• Insufficient logging and monitoring
© 2019 Claren
16. API Security: Methods
• Authentication using
• Username/password
• Cookie Authentication
• Digital certificates
• Keys
• MFA
• Digest
• Bearer (for OAuth 2.0)
• OpenID Connect (OIDC) – ID token for Authentication + Access token
• HOBA (HTTP Origin-Bound Authentication)
• Mutual Authentication Protocol
• Signature
• Authorize using
• OAuth using Access token (needs bearer token and client ID)
© 2019 Claren
17. API Security: Best Practices
• Think of what if the data is compromised
• Plan for growth: consideration during design, deployment, intent, which user group
• Consider what resource and fields are exposed, what’s the business, scope and which method
• Use an existing framework, use the existing security process
• Encrypt data in motion
• Use API Gateway for API management (Apigee, MuleSoft)
• analyze authorization
• messages
• tokens and parameters
• track usage
• throttle usage using rate limits
• encrypt and redact logs
© 2019 Claren
18. API Security: Best Practices
• Detect Insecure API calls with Sniffers
• Consistent change management
• Classify as Public, Private or Partner API
• Security scans for both home-grown, third-party libraries and open-source
• Data driven automated testing
• SAST (Static Application Security Testing: white box)
• DAST (Dynamic Application Security Testing: black box, run-time)
• IAST (Interactive Application Security Testing: real time on code, config, connection, 3rd party
libraries, framework )
• RASP (Real-time Application Security protection): Monitors attacks and terminates sessions
• Security Audit
© 2019 Claren
20. Container Security: An Overview
• What are Containers, why are they needed?
• Containers provide an immutable, portable, reusable, and automatable way
to package and run apps
• 5 key components
• Image
• Registry
• Orchestrator
• Container
• Host OS
© 2019 Claren
21. Container Security: Challenges
• Image
• Image vulnerability
• Image configuration defects
• Embedded Malware
• Embedded clear text secrets
• Use of untrusted images
• Registry
• Insecure connection to registries
• Stale images in registries
• Insufficient authentication and authorization
• Orchestrator
• Unbounded administrative access
• Unauthorized access
• Poorly separated inter-container traffic
• Mixing of workload sensitivity
• Orchestrator node trust
© 2019 Claren
22. Container Security: Challenges
• Containers
• Vulnerability in runtime software
• Unbounded network access from containers
• Insecure container runtime config
• App vulnerability
• Rogue containers
• Host OS
• Large attack surface
• Shared kernel
• Host OS component vulnerability
• Improper user access rights
• Host OS File system tampering
© 2019 Claren
23. Container Security: Challenges
• Visibility and identity of each container
• Resource hogging
• Storage of secrets outside the container
• DDOS
© 2019 Claren
24. Container Security: Best Practices
• Use Container-specific OSS, a base image with minimized OS with just the required capabilities
• Group containers with the same purpose, sensitivity, and threat posture on a single host OS
• User Namespaces
• Hypervisor isolation
• Container isolation
• Image whitelist, labeling/versioning
• Container-aware network & process monitoring
• Validated, and digitally signed images with hashes and signatures
• Do Live scan, apply runtime controls and container-aware runtime defense tools (Twistlock,
Nuevector)
• Secure all tiers with hardware root of trust, using industry standard Trusted Platform Module (TPM))
• Digitally sign or do integrity checks on container images
• Manage lifecycle of containers, use policies
© 2019 Claren
26. Open-source Security: Challenges
• Pull model: users are responsible for keeping track of vulnerabilities, fixes
• Indirect dependency
• Known vulnerabilities in system libraries, container images
• CVEs in distros
• Malicious packages
• Typosquatting
• Compromised CI or registry
• Malicious package included in dependency
• Socially engineered inclusion of malicious package
• GPL license violations/conflicts
© 2019 Claren
27. Open-source Security: An Overview
• Open-source Software
• Free source code released under a license
• Grants the copyright holder the rights to freely redistribute, study, modify
and share with anyone for any purpose
• Affordability
• Transparency
• Perpetuity
• Interoperability
• Flexibility
© 2019 Claren
28. Open-source Security: Challenges
• Path traversal (aka directory traversal or backtracking)
• Cross-site scripting (XSS)
• Sensitive information exposure: Permissions, privileges, and access control
• Deserialization of untrusted data
• Out-of-bounds write
• Resource management errors
• SQL injection
• Regular expression denial of service (ReDoS)
© 2019 Claren
29. Open-source Security: Best Practices
• Use SCA (Source Code Analysis/Software Composition Analysis) tools
• Enforce consistent Security Audits
• Patch ASAP
• Use encoding to avoid directory traversal
• Use open-source security lifecycle
• Make pre-approved, easy-to-consume libraries, packages, toolchains, and processes available
• Responsible security disclosures
• Secure code base with code review
• Audit code base
• Ensure compliance with software licenses, an essential step in reducing business risk
• Breach of an open-source license can result in IP infringement
Use tools e.g.: OWASP’s ZAP, SonarQube, Black Duck etc.
© 2019 Claren