SlideShare a Scribd company logo

WebApp_to_Container_Security.pdf

Anna Pasupathy, CISSP
Anna Pasupathy, CISSP

Securing your software environment: 1. Web application 2. API (Application Programming Interface) 3. Mobile application 4. Container 5. Open-source software

Technology
1 of 31
Download to read offline
Application Security By Anna Pasupathy CISSP, CISM © 2019 Claren
Application Security Application Security: Securing software Applications Topics • Web application security: • Securing web applications • API (Application Programming Interface) Security • Securing API communication between machines/applications • Mobile Security: • Securing mobile applications • Container security: • Securing software containers • Open-source security: • Securing the open-source software in use © 2019 Claren
Web Application Security OWASP Top 10 2017 • A1 - Injection • A2 - Broken Authentication • A3 - Sensitive Data Exposure • A4 - XML External Entities (XXE) • A5 - Broken Access Control • A6 - Security Misconfiguration • A7 - Cross Site Scripting (XSS) • A8 - Insecure Deserialization • A9 - Using Components with Known Vulnerabilities • A10 - Insufficient Logging and Monitoring © 2019 Claren
Web Application Security: Risk Ratings © 2019 Claren Risk Exploitability: (3:Easy, 2:Average, 1:Difficult) Prevalence: (3:Widespread 2:Common, 1:Uncommon) Detectability: (3:Easy, 2:Average, 1:Difficult) Technical Impact: (3:Severe, 2:Moderate, 1:Minor) Business Impact Injection 3 2 3 3 Data loss, corruption, data disclosure, loss of accountability, denial of access, host takeover Broken Authentication 3 2 3 3 Money laundering, social security fraud, and identity theft, or disclose sensitive info Sensitive Data Exposure 2 3 2 3 PII leak requiring legal penalty XML External Entities (XXE) 2 2 3 3 Extract data, execute a remote request, scan internal systems, DOS attack, execute other attacks Broken Access Control 2 2 2 3 CRUD on data Security Misconfiguration 3 3 3 2 System compromise Cross Site Scripting (XSS) 3 3 3 2 Stealing credentials, sessions, or delivering malware Insecure Deserialization 1 2 2 3 Remote code execution Using Components with Known Vulnerabilities 2 3 2 2 Depends Insufficient Logging and Monitoring 2 3 1 2 Raise the likelihood of successful exploit to nearly 100%.
Injection, Broken Authentication © 2019 Claren Injection Broken Authentication Cause User Input not validated Inadequate or no Authentication Method of Exploits • User input could be a dbase/Ldap query to reveal the data or makes changes in database • Brute force • Default/weak/known/unencrypted password • No MFA • Exposed URL with session ID • Static and no expiry of session ID • Automated Credential stuffing Mitigation • Validate user input • Separate data from command • Limit data exposure • Use server-side validation • Use ESC sequence • Query parameterization • Use WAF • Check passwords for common passwords • Check password complexity, registration • Enforce password rotation • Use Exponential failed login attempts • Server-side session management • Use MFA
Sensitive Data Exposure, XML External Entities (XXE) © 2019 Claren Sensitive Data Exposure XML External Entities (XXE) Cause Insecure collecting, handling, storing, transmitting or deleting data Manipulate XML, weak XML parser Method of Exploits • Look for exposed data • File upload flaw • Attack an application parsing XML input and expose data Mitigation • Classify data, apply controls, encrypt data at rest and in motion • Use WAF, Key management • Encrypt with strong cipher for data in motion: TLS with perfect forward secrecy (PFS) • Cipher prioritization, Secure parameters • Use HTTP Strict Transport Security (HSTS) to guard against protocol downgrade, cookie hijacking • Disable caching for sensitive data • Store passwords with adaptive and salted hash: Argon2, scrypt - to guard against powerful hardware and GPU • Use json • Avoid serialization for translating data structures • Use SAST, DAST tools • Disable external entity processing
Broken Access Control, Security Misconfigurations © 2019 Claren Broken Access Control Security Misconfigurations Cause Unauthorized access to resources Inadequate security hardening Method of Exploits • Missing policy, rules • Bypass access control checks, Privilege escalation • Not using MFA • Exploit unpatched flaws • Old accounts, default accounts • Leaving unused features, services or samples • Exposing sensitive user or component details in error messages and stack trace Mitigation • Deny by default, use least privilege • Use MFA, Delete unwanted accounts • Minimize CORS (Cross-Origin Resource Sharing) • Log and Audit server on activities • Limit actions allowed • Reduce access area, unwanted services, scrutinize every access • Rate limit access • Invalidate JWT tokens • Disallow access to unexposed URLs/endpoints • Use SAST, DAST, WAF • Patch flaws • Disable default configuration or permission • Unprotected directory listing allowing reverse engineering • Use repeatable process • Use same config for all env, minimum platform • Security directives – HSTS (HTTP Strict Transport Security), HPKP (HTTP Public Key Pinning), X-frame option Header • Use segmentation - for components/tenants, containers and security groups
Cross Site Scripting (XSS), Insecure Deserialization © 2019 Claren Cross Site Scripting (XSS) Insecure Deserialization Cause Jumbled untrusted data from browser content Manipulate deserialized objects Method of Exploits • Client-side code injection exploiting the browser and user’s trust on web site • Steal session cookie • Write, manipulate DB • Using serialized objects from untrusted sources • super cookie about the logged in user • Untrusted user input • Manipulated super cookie containing serialized information on user role or password hash etc. allowing remote code execution, DOS attack etc. Mitigation • Reflected XSS, Stored XSS or DOM XSS • Use escaping • Use frameworks that automatically does the escaping • Separate untrusted user input data from active browser content • Ensure web app is secure • Use WAF • Implementing integrity checks such as digital signatures on any serialized objects • Strict type constraints during deserialization • Validate user input • Use WAF • Run code that deserializes in low privilege environments • Monitor, restrict, alert, Logging deserialization exceptions and failures
Using Components with Known Vulnerabilities, Insufficient Logging and Monitoring © 2019 Claren Using Components with known vulnerabilities Insufficient logging and monitoring Cause • Inadequate and inconsistent process/enforcement. • Well known is known to everyone. No logs, no tracking of activities in logs, or non- decipherable context, no action on logs collected Method of Exploits • Scan for known vulnerabilities • Exploit vulnerabilities • Turn off logging, manipulate log levels Mitigation • Inventory clients and servers • Download from digitally signed official source • Manage - Monitor, patch, config • Automate and consistently check against CVE (Common Vulnerability and Exploits), NVD (National Vulnerability dbase) • OWASP cheat sheet for logging • Granular err msg, approp alert thresholds, mask data in log files • Monitor the context using SIEM tools • Integrity control of logs
Mobile Security © 2019 Claren
Mobile Security: Challenges & Best Practices • Wi-Fi interference: Network spoofing, Man-in-the middle attack • Enforce use of Encrypted channel or VPN • Out-of-date devices: Scan for out-of-date devices and exploit vulnerability • Enforce Software update • Strong Policy • Over the air update • Crypto jacking attacks: Exploit Mobile phone software vulnerability for mining crypto currency • MFA, strong password, password policy • Update software • Limit allowed apps • Secure browsing, safe URL • Poor password hygiene • Strong Policy, password manager © 2019 Claren
Mobile Security: Challenges & Best Practices • Physical Device breaches: User behavior, a balance between flexibility and Security • Jail broken devices • Old phones, un updated phones • Data Leak • Use Endpoint protection • Use DLP tools • MDM solutions • Social Engineering: Instant and continuous exposure to device • Phishing: Awareness, SPAM filter, patches, antivirus, web filter, encryption © 2019 Claren
API Security © 2019 Claren
API Security: An overview • Application Programming Interface (API) is an interface or contract between two entities called a consumer and a provider • Provides a service based on a contract (WSDL, Swagger OpenAPI3). REST API is popular • Shares (therefore exposes) corporate resources and data • Digital transformation is the main driver for API Economy • Another avenue • to stimulate innovation • to create customer stickiness • to build an ecosystem • for monetization • for an attack surface • Private API: Used internally by organizations to integrate with different software systems • Public API: Programming interfaces exposed to developer communities • Partner API: Programming interfaces exposed to partners © 2019 Claren
API Security: Challenges • Application source code exposure • Shared password between apps • Unprotected data in backend • Improperly secured endpoints/URLs • Unencrypted OAuth token stored or sent in clear text • OWASP A1, A2, A4, A5, A6, A7, A10 are applicable • Injection • Broken Authentication • XXE (XML External Entities) • Broken Access Control • Security Misconfiguration • XSS (Cross Site Scripting) • Insufficient logging and monitoring © 2019 Claren
API Security: Methods • Authentication using • Username/password • Cookie Authentication • Digital certificates • Keys • MFA • Digest • Bearer (for OAuth 2.0) • OpenID Connect (OIDC) – ID token for Authentication + Access token • HOBA (HTTP Origin-Bound Authentication) • Mutual Authentication Protocol • Signature • Authorize using • OAuth using Access token (needs bearer token and client ID) © 2019 Claren
API Security: Best Practices • Think of what if the data is compromised • Plan for growth: consideration during design, deployment, intent, which user group • Consider what resource and fields are exposed, what’s the business, scope and which method • Use an existing framework, use the existing security process • Encrypt data in motion • Use API Gateway for API management (Apigee, MuleSoft) • analyze authorization • messages • tokens and parameters • track usage • throttle usage using rate limits • encrypt and redact logs © 2019 Claren
API Security: Best Practices • Detect Insecure API calls with Sniffers • Consistent change management • Classify as Public, Private or Partner API • Security scans for both home-grown, third-party libraries and open-source • Data driven automated testing • SAST (Static Application Security Testing: white box) • DAST (Dynamic Application Security Testing: black box, run-time) • IAST (Interactive Application Security Testing: real time on code, config, connection, 3rd party libraries, framework ) • RASP (Real-time Application Security protection): Monitors attacks and terminates sessions • Security Audit © 2019 Claren
Container Security © 2019 Claren
Container Security: An Overview • What are Containers, why are they needed? • Containers provide an immutable, portable, reusable, and automatable way to package and run apps • 5 key components • Image • Registry • Orchestrator • Container • Host OS © 2019 Claren
Container Security: Challenges • Image • Image vulnerability • Image configuration defects • Embedded Malware • Embedded clear text secrets • Use of untrusted images • Registry • Insecure connection to registries • Stale images in registries • Insufficient authentication and authorization • Orchestrator • Unbounded administrative access • Unauthorized access • Poorly separated inter-container traffic • Mixing of workload sensitivity • Orchestrator node trust © 2019 Claren
Container Security: Challenges • Containers • Vulnerability in runtime software • Unbounded network access from containers • Insecure container runtime config • App vulnerability • Rogue containers • Host OS • Large attack surface • Shared kernel • Host OS component vulnerability • Improper user access rights • Host OS File system tampering © 2019 Claren
Container Security: Challenges • Visibility and identity of each container • Resource hogging • Storage of secrets outside the container • DDOS © 2019 Claren
Container Security: Best Practices • Use Container-specific OSS, a base image with minimized OS with just the required capabilities • Group containers with the same purpose, sensitivity, and threat posture on a single host OS • User Namespaces • Hypervisor isolation • Container isolation • Image whitelist, labeling/versioning • Container-aware network & process monitoring • Validated, and digitally signed images with hashes and signatures • Do Live scan, apply runtime controls and container-aware runtime defense tools (Twistlock, Nuevector) • Secure all tiers with hardware root of trust, using industry standard Trusted Platform Module (TPM)) • Digitally sign or do integrity checks on container images • Manage lifecycle of containers, use policies © 2019 Claren
Open Source Security © 2019 Claren
Open-source Security: Challenges • Pull model: users are responsible for keeping track of vulnerabilities, fixes • Indirect dependency • Known vulnerabilities in system libraries, container images • CVEs in distros • Malicious packages • Typosquatting • Compromised CI or registry • Malicious package included in dependency • Socially engineered inclusion of malicious package • GPL license violations/conflicts © 2019 Claren
Open-source Security: An Overview • Open-source Software • Free source code released under a license • Grants the copyright holder the rights to freely redistribute, study, modify and share with anyone for any purpose • Affordability • Transparency • Perpetuity • Interoperability • Flexibility © 2019 Claren
Open-source Security: Challenges • Path traversal (aka directory traversal or backtracking) • Cross-site scripting (XSS) • Sensitive information exposure: Permissions, privileges, and access control • Deserialization of untrusted data • Out-of-bounds write • Resource management errors • SQL injection • Regular expression denial of service (ReDoS) © 2019 Claren
Open-source Security: Best Practices • Use SCA (Source Code Analysis/Software Composition Analysis) tools • Enforce consistent Security Audits • Patch ASAP • Use encoding to avoid directory traversal • Use open-source security lifecycle • Make pre-approved, easy-to-consume libraries, packages, toolchains, and processes available • Responsible security disclosures • Secure code base with code review • Audit code base • Ensure compliance with software licenses, an essential step in reducing business risk • Breach of an open-source license can result in IP infringement Use tools e.g.: OWASP’s ZAP, SonarQube, Black Duck etc. © 2019 Claren
Conclusion © 2019 Claren VAST ROUGH
Your Journey © 2019 Claren Get a handle on these for a SMOOTH SAIL !

Recommended

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risks
Islam Azeddine Mennouchi
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
Linkesh Kanna Velu
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
Dilip Sharma
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
Arun Voleti
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
Shreyas N
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
Security Innovation
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 

Recommended

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risks
Islam Azeddine Mennouchi
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
Linkesh Kanna Velu
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
Dilip Sharma
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
Arun Voleti
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
Shreyas N
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
Security Innovation
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
Setia Juli Irzal Ismail
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
ibrahimumer2
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
EduclentMegasoftel
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
Anatoliy Okhotnikov
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
Eoin Keary
 
Web Security
Web SecurityWeb Security
Web Security
Gerald Villorente
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
Karl Ots
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
RightScale
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
Siddharth Phatarphod
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitTop 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Amazon Web Services
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
ColdFusionConference
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
devObjective
 
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
NetworkCollaborators
 
Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics
NetworkCollaborators
 
CompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptxCompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptx
mohedkhadar60
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
FIDO Alliance
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 

More Related Content

Similar to WebApp_to_Container_Security.pdf

OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
CompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptxCompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptx
mohedkhadar60
 

Similar to WebApp_to_Container_Security.pdf (20)

Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Web Security
Web SecurityWeb Security
Web Security
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitTop 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
 
Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics
 
CompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptxCompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptx
 

Recently uploaded

Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
UXDXConf
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
UXDXConf
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 

Recently uploaded (20)

Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 

WebApp_to_Container_Security.pdf

  • 1. Application Security By Anna Pasupathy CISSP, CISM © 2019 Claren
  • 2. Application Security Application Security: Securing software Applications Topics • Web application security: • Securing web applications • API (Application Programming Interface) Security • Securing API communication between machines/applications • Mobile Security: • Securing mobile applications • Container security: • Securing software containers • Open-source security: • Securing the open-source software in use © 2019 Claren
  • 3. Web Application Security OWASP Top 10 2017 • A1 - Injection • A2 - Broken Authentication • A3 - Sensitive Data Exposure • A4 - XML External Entities (XXE) • A5 - Broken Access Control • A6 - Security Misconfiguration • A7 - Cross Site Scripting (XSS) • A8 - Insecure Deserialization • A9 - Using Components with Known Vulnerabilities • A10 - Insufficient Logging and Monitoring © 2019 Claren
  • 4. Web Application Security: Risk Ratings © 2019 Claren Risk Exploitability: (3:Easy, 2:Average, 1:Difficult) Prevalence: (3:Widespread 2:Common, 1:Uncommon) Detectability: (3:Easy, 2:Average, 1:Difficult) Technical Impact: (3:Severe, 2:Moderate, 1:Minor) Business Impact Injection 3 2 3 3 Data loss, corruption, data disclosure, loss of accountability, denial of access, host takeover Broken Authentication 3 2 3 3 Money laundering, social security fraud, and identity theft, or disclose sensitive info Sensitive Data Exposure 2 3 2 3 PII leak requiring legal penalty XML External Entities (XXE) 2 2 3 3 Extract data, execute a remote request, scan internal systems, DOS attack, execute other attacks Broken Access Control 2 2 2 3 CRUD on data Security Misconfiguration 3 3 3 2 System compromise Cross Site Scripting (XSS) 3 3 3 2 Stealing credentials, sessions, or delivering malware Insecure Deserialization 1 2 2 3 Remote code execution Using Components with Known Vulnerabilities 2 3 2 2 Depends Insufficient Logging and Monitoring 2 3 1 2 Raise the likelihood of successful exploit to nearly 100%.
  • 5. Injection, Broken Authentication © 2019 Claren Injection Broken Authentication Cause User Input not validated Inadequate or no Authentication Method of Exploits • User input could be a dbase/Ldap query to reveal the data or makes changes in database • Brute force • Default/weak/known/unencrypted password • No MFA • Exposed URL with session ID • Static and no expiry of session ID • Automated Credential stuffing Mitigation • Validate user input • Separate data from command • Limit data exposure • Use server-side validation • Use ESC sequence • Query parameterization • Use WAF • Check passwords for common passwords • Check password complexity, registration • Enforce password rotation • Use Exponential failed login attempts • Server-side session management • Use MFA
  • 6. Sensitive Data Exposure, XML External Entities (XXE) © 2019 Claren Sensitive Data Exposure XML External Entities (XXE) Cause Insecure collecting, handling, storing, transmitting or deleting data Manipulate XML, weak XML parser Method of Exploits • Look for exposed data • File upload flaw • Attack an application parsing XML input and expose data Mitigation • Classify data, apply controls, encrypt data at rest and in motion • Use WAF, Key management • Encrypt with strong cipher for data in motion: TLS with perfect forward secrecy (PFS) • Cipher prioritization, Secure parameters • Use HTTP Strict Transport Security (HSTS) to guard against protocol downgrade, cookie hijacking • Disable caching for sensitive data • Store passwords with adaptive and salted hash: Argon2, scrypt - to guard against powerful hardware and GPU • Use json • Avoid serialization for translating data structures • Use SAST, DAST tools • Disable external entity processing
  • 7. Broken Access Control, Security Misconfigurations © 2019 Claren Broken Access Control Security Misconfigurations Cause Unauthorized access to resources Inadequate security hardening Method of Exploits • Missing policy, rules • Bypass access control checks, Privilege escalation • Not using MFA • Exploit unpatched flaws • Old accounts, default accounts • Leaving unused features, services or samples • Exposing sensitive user or component details in error messages and stack trace Mitigation • Deny by default, use least privilege • Use MFA, Delete unwanted accounts • Minimize CORS (Cross-Origin Resource Sharing) • Log and Audit server on activities • Limit actions allowed • Reduce access area, unwanted services, scrutinize every access • Rate limit access • Invalidate JWT tokens • Disallow access to unexposed URLs/endpoints • Use SAST, DAST, WAF • Patch flaws • Disable default configuration or permission • Unprotected directory listing allowing reverse engineering • Use repeatable process • Use same config for all env, minimum platform • Security directives – HSTS (HTTP Strict Transport Security), HPKP (HTTP Public Key Pinning), X-frame option Header • Use segmentation - for components/tenants, containers and security groups
  • 8. Cross Site Scripting (XSS), Insecure Deserialization © 2019 Claren Cross Site Scripting (XSS) Insecure Deserialization Cause Jumbled untrusted data from browser content Manipulate deserialized objects Method of Exploits • Client-side code injection exploiting the browser and user’s trust on web site • Steal session cookie • Write, manipulate DB • Using serialized objects from untrusted sources • super cookie about the logged in user • Untrusted user input • Manipulated super cookie containing serialized information on user role or password hash etc. allowing remote code execution, DOS attack etc. Mitigation • Reflected XSS, Stored XSS or DOM XSS • Use escaping • Use frameworks that automatically does the escaping • Separate untrusted user input data from active browser content • Ensure web app is secure • Use WAF • Implementing integrity checks such as digital signatures on any serialized objects • Strict type constraints during deserialization • Validate user input • Use WAF • Run code that deserializes in low privilege environments • Monitor, restrict, alert, Logging deserialization exceptions and failures
  • 9. Using Components with Known Vulnerabilities, Insufficient Logging and Monitoring © 2019 Claren Using Components with known vulnerabilities Insufficient logging and monitoring Cause • Inadequate and inconsistent process/enforcement. • Well known is known to everyone. No logs, no tracking of activities in logs, or non- decipherable context, no action on logs collected Method of Exploits • Scan for known vulnerabilities • Exploit vulnerabilities • Turn off logging, manipulate log levels Mitigation • Inventory clients and servers • Download from digitally signed official source • Manage - Monitor, patch, config • Automate and consistently check against CVE (Common Vulnerability and Exploits), NVD (National Vulnerability dbase) • OWASP cheat sheet for logging • Granular err msg, approp alert thresholds, mask data in log files • Monitor the context using SIEM tools • Integrity control of logs
  • 11. Mobile Security: Challenges & Best Practices • Wi-Fi interference: Network spoofing, Man-in-the middle attack • Enforce use of Encrypted channel or VPN • Out-of-date devices: Scan for out-of-date devices and exploit vulnerability • Enforce Software update • Strong Policy • Over the air update • Crypto jacking attacks: Exploit Mobile phone software vulnerability for mining crypto currency • MFA, strong password, password policy • Update software • Limit allowed apps • Secure browsing, safe URL • Poor password hygiene • Strong Policy, password manager © 2019 Claren
  • 12. Mobile Security: Challenges & Best Practices • Physical Device breaches: User behavior, a balance between flexibility and Security • Jail broken devices • Old phones, un updated phones • Data Leak • Use Endpoint protection • Use DLP tools • MDM solutions • Social Engineering: Instant and continuous exposure to device • Phishing: Awareness, SPAM filter, patches, antivirus, web filter, encryption © 2019 Claren
  • 14. API Security: An overview • Application Programming Interface (API) is an interface or contract between two entities called a consumer and a provider • Provides a service based on a contract (WSDL, Swagger OpenAPI3). REST API is popular • Shares (therefore exposes) corporate resources and data • Digital transformation is the main driver for API Economy • Another avenue • to stimulate innovation • to create customer stickiness • to build an ecosystem • for monetization • for an attack surface • Private API: Used internally by organizations to integrate with different software systems • Public API: Programming interfaces exposed to developer communities • Partner API: Programming interfaces exposed to partners © 2019 Claren
  • 15. API Security: Challenges • Application source code exposure • Shared password between apps • Unprotected data in backend • Improperly secured endpoints/URLs • Unencrypted OAuth token stored or sent in clear text • OWASP A1, A2, A4, A5, A6, A7, A10 are applicable • Injection • Broken Authentication • XXE (XML External Entities) • Broken Access Control • Security Misconfiguration • XSS (Cross Site Scripting) • Insufficient logging and monitoring © 2019 Claren
  • 16. API Security: Methods • Authentication using • Username/password • Cookie Authentication • Digital certificates • Keys • MFA • Digest • Bearer (for OAuth 2.0) • OpenID Connect (OIDC) – ID token for Authentication + Access token • HOBA (HTTP Origin-Bound Authentication) • Mutual Authentication Protocol • Signature • Authorize using • OAuth using Access token (needs bearer token and client ID) © 2019 Claren
  • 17. API Security: Best Practices • Think of what if the data is compromised • Plan for growth: consideration during design, deployment, intent, which user group • Consider what resource and fields are exposed, what’s the business, scope and which method • Use an existing framework, use the existing security process • Encrypt data in motion • Use API Gateway for API management (Apigee, MuleSoft) • analyze authorization • messages • tokens and parameters • track usage • throttle usage using rate limits • encrypt and redact logs © 2019 Claren
  • 18. API Security: Best Practices • Detect Insecure API calls with Sniffers • Consistent change management • Classify as Public, Private or Partner API • Security scans for both home-grown, third-party libraries and open-source • Data driven automated testing • SAST (Static Application Security Testing: white box) • DAST (Dynamic Application Security Testing: black box, run-time) • IAST (Interactive Application Security Testing: real time on code, config, connection, 3rd party libraries, framework ) • RASP (Real-time Application Security protection): Monitors attacks and terminates sessions • Security Audit © 2019 Claren
  • 20. Container Security: An Overview • What are Containers, why are they needed? • Containers provide an immutable, portable, reusable, and automatable way to package and run apps • 5 key components • Image • Registry • Orchestrator • Container • Host OS © 2019 Claren
  • 21. Container Security: Challenges • Image • Image vulnerability • Image configuration defects • Embedded Malware • Embedded clear text secrets • Use of untrusted images • Registry • Insecure connection to registries • Stale images in registries • Insufficient authentication and authorization • Orchestrator • Unbounded administrative access • Unauthorized access • Poorly separated inter-container traffic • Mixing of workload sensitivity • Orchestrator node trust © 2019 Claren
  • 22. Container Security: Challenges • Containers • Vulnerability in runtime software • Unbounded network access from containers • Insecure container runtime config • App vulnerability • Rogue containers • Host OS • Large attack surface • Shared kernel • Host OS component vulnerability • Improper user access rights • Host OS File system tampering © 2019 Claren
  • 23. Container Security: Challenges • Visibility and identity of each container • Resource hogging • Storage of secrets outside the container • DDOS © 2019 Claren
  • 24. Container Security: Best Practices • Use Container-specific OSS, a base image with minimized OS with just the required capabilities • Group containers with the same purpose, sensitivity, and threat posture on a single host OS • User Namespaces • Hypervisor isolation • Container isolation • Image whitelist, labeling/versioning • Container-aware network & process monitoring • Validated, and digitally signed images with hashes and signatures • Do Live scan, apply runtime controls and container-aware runtime defense tools (Twistlock, Nuevector) • Secure all tiers with hardware root of trust, using industry standard Trusted Platform Module (TPM)) • Digitally sign or do integrity checks on container images • Manage lifecycle of containers, use policies © 2019 Claren
  • 25. Open Source Security © 2019 Claren
  • 26. Open-source Security: Challenges • Pull model: users are responsible for keeping track of vulnerabilities, fixes • Indirect dependency • Known vulnerabilities in system libraries, container images • CVEs in distros • Malicious packages • Typosquatting • Compromised CI or registry • Malicious package included in dependency • Socially engineered inclusion of malicious package • GPL license violations/conflicts © 2019 Claren
  • 27. Open-source Security: An Overview • Open-source Software • Free source code released under a license • Grants the copyright holder the rights to freely redistribute, study, modify and share with anyone for any purpose • Affordability • Transparency • Perpetuity • Interoperability • Flexibility © 2019 Claren
  • 28. Open-source Security: Challenges • Path traversal (aka directory traversal or backtracking) • Cross-site scripting (XSS) • Sensitive information exposure: Permissions, privileges, and access control • Deserialization of untrusted data • Out-of-bounds write • Resource management errors • SQL injection • Regular expression denial of service (ReDoS) © 2019 Claren
  • 29. Open-source Security: Best Practices • Use SCA (Source Code Analysis/Software Composition Analysis) tools • Enforce consistent Security Audits • Patch ASAP • Use encoding to avoid directory traversal • Use open-source security lifecycle • Make pre-approved, easy-to-consume libraries, packages, toolchains, and processes available • Responsible security disclosures • Secure code base with code review • Audit code base • Ensure compliance with software licenses, an essential step in reducing business risk • Breach of an open-source license can result in IP infringement Use tools e.g.: OWASP’s ZAP, SonarQube, Black Duck etc. © 2019 Claren
  • 31. Your Journey © 2019 Claren Get a handle on these for a SMOOTH SAIL !