Application Security-Understanding The Horizon


Published on

This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover broader aspects of Application Security basics. This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Social engineering. Many attacks attempt to appear as if they originated from a system administrator or official service, increasing the likelihood that end users will execute them and infect their systems.Trojan horse. A program that appears to be useful or harmless but that contains hidden code designed to exploit or damage the system on which it is run. Trojan horse programs are most commonly delivered to users through e-mail messages that misrepresent the program's purpose and function. Also called Trojan code. A Trojan horse does this by delivering a malicious payload or task when it is run.Worm. A worm uses self-propagating malicious code that can automatically distribute itself from one computer to another through network connections. A worm can take harmful action, such as consuming network or local system resources, possibly causing a denial of service attack. Some worms can execute and spread without user intervention, while others require users to execute the worm code directly in order to spread. Worms may also deliver a payload in addition to replicating.Virus. A virus uses code written with the express intention of replicating itself. A virus attempts to spread from computer to computer by attaching itself to a host program. It may damage hardware, software, or data. When the host is executed, the virus code also runs, infecting new hosts and sometimes delivering an additional payload.
  • - Now we no longer have websites, we have web applications - Web applications reside on multiple systems in distributed architectures - Three tiers (presentation, logic, data) - Use sophisticated programming languages and architectures - Corporate and customer data moved to the computing edge - Edge extended to cellphones, pda’s, mobile sales force solutions, inventory management systems, etc.
  • There is a lack of awareness of application vulnerabilities in security departments.Security Departments scrutinize the desktop, the network, and even the web servers, but the web application escapes their measures. Even in departments that want to audit for web application vulnerabilities, the lack of effective tools has made it impractical As a result, Certification and Accreditation programs rarely examine the web applicationIn fact, the entire development cycle is usually missing from security procedures and controlsThis illustrates the fundamental gap between security and development, which creates these web application vulnerabilitiesMany traditional information security practitioners are ill-equipped tomitigate application security issues– Little to no experience coding– No experience coding in “modern” enterprise environments like .NET and J2EE– Understand that there are risks, but not in a position to address them
  • Application Security-Understanding The Horizon

    1. 1. Application Security-I Understanding The Horizon Lalit Kale
    2. 2. Overview • Introduction • Foundations of Security • Layered Security Approach • Importance of Application Security • OWASP Top 10 Threats • Industry Gap • Bridging The Gap-Step by Step • Microsoft Security Lifecycle Development (MS-SDL) • Measurable results of applying MS-SDL • Resources
    3. 3. Movie- Ocean Eleven
    4. 4. DEMO Simple website hacking
    5. 5. Why you should know hacking? • Developers need to hone their cyber-offence skills • • Hack your own website • • If you can’t think like hacker, it's difficult to defend against them First website security assessment Defense in depth • Fix multiple security flaws that would otherwise have been single point of failure
    6. 6. Who are hackers? • Ethical Hackers/Hactivists • • Cyber Criminals • • Motivated for higher cause Motivated for financial gain, identity theft, malicious intentions Nation States • Cyber warfare for national security and political interest
    7. 7. Hacker Targets • Enterprise Websites/Portals • Financial Websites/Portals • Government Websites/Portals • Social Media Websites/Portals
    8. 8. Common Myth App Server Web Server Hardened OS Billing Human Resrcs Directories APPLICATION ATTACK Web Services Custom Developed Application Code Legacy Systems Your security “perimeter” has huge holes at the application layer Databases Application Layer We are secure since we have a firewall ! Firewall Firewall Network Layer • You can’t use network layer protection (firewall, SSL, IDS, hardening) to stop or detect application layer attacks
    9. 9. Man in Middle Attack
    10. 10. Common Sources of Untrusted Data • User • In URL via a query string or route • Posted via a form • Browser • Cookies • Request Headers • Other • External Services • Your own database!
    11. 11. Building A Risk Profile • Attackers wants to understand as much as possible about the website in order to find out vulnerabilities in website. So analyzes What are points of untrusted data entry? • What sanitation practices have been employed? • What framework and libraries the website is running on? • What can be discovered about site structure? • What can be used from “view source” option of browsers? • Are there any useful internal error messages up to the browser? • Are there sufficient access controls on diagnostic data? •
    12. 12. Data Breaches of 2012
    13. 13. Cybercrime Evolution 1986–1995 • LANs • First PC virus • Motivation: damage 1995–2003 • Internet Era • “Big Worms” • Motivation: damage Cost of U.S. cybercrime: About $70B 2004+ 2006+ • OS, DB attacks • Spyware, Spam • Motivation: Financial • Targeted attacks • Social engineering • Financial + Political 2007 Market Prices Credit Card Number $0.50 - $20 Full Identity $1 - $15 Bank Account $10 - $1000 Source: U.S. Government Accountability Office (GAO), FBI
    14. 14. Evolving Threats
    15. 15. Information security, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.”
    16. 16. Foundations of Application Security • Authentication= (Who are you?) • Authorization=(What can you do?) • Auditing(Non-repudiation) =Can not deny your action • Confidentiality(Privacy)=Data remains private and confidential • Integrity=Data is protected • Availability=System remains available
    17. 17. Layered Security Approach Physical Security Controlled Access, electronic surveillance ,video surveillance, security personnel Perimeter Security Firewalls, IDS Network Security Segmentation, Secure W-LAN , IPSec, DMZ Host Security Server Hardening, Client Hardening, Patch Management, Anti-virus, Distributed Firewalls Application Security IIS hardening, Exchange Hardening, SQL Server hardening,
    18. 18. Attacks are focusing on applications Operating system vs browser and application vulnerabilities 90% of vulnerabilities are remotely exploitable From the Microsoft Security Intelligence Report V7 Sources: IBM X-Force, 2008
    19. 19. Importance of Application Security • Web applications have largest number of vulnerabilities. Sources: Sept 2009 Report with data from TippingPoint IPS and vulnerability data by Qualys.
    20. 20. Web Applications Complexity • Very complex architectures, multiple platforms and protocols Web Application HTTP Web Services Network Application Server Database Server Presentation Layer Wireless Web Servers Business Logic Customer Identification Media Store Browser Content Services Access Controls Transaction Information Core Business Data
    21. 21. Web Applications Breach Perimeter Internet IIS Apache Trusted Inside DMZ ASP .NET WebSphere Java MS-SQL Oracle DB2 HTTP(S) Browser Allows HTTP port 80 Allows HTTPS port 443 Firewall only allows applications on the web server to talk to application server. Firewall only allows application server to talk to database server. Corporate Inside
    22. 22. OWASP Top 10 Threats Application Threat Negative Impact Example Impact Injection Flaws Attacker can manipulate queries to the DB / LDAP / Other system Hackers can access backend database information, alter it or steal it. Broken Authentication & Session Management Session tokens not guarded or invalidated properly Hacker can “force” session token on victim; session tokens can be stolen after logout Cross Site scripting Identity Theft, Sensitive Information Leakage, … Hackers can impersonate legitimate users, and control their accounts. Insecure Direct Object Reference Attacker can access sensitive files and resources Web application returns contents of sensitive file (instead of harmless one) Security Misconfiguration Attackers can gain detailed system information Malicious system investigation may assist in developing further attacks Sensitive Data Exposure Sensitive info sent unencrypted over insecure channel Unencrypted credentials “sniffed” and used by hacker to impersonate user Missing Function Level Access Control Attacker can access unauthorized resources Hacker can forcefully browse and access a page past the login page Cross-Site Request Forgery Attacker can invoke “blind” actions on web applications, impersonating as a trusted user Blind requests to bank account transfer money to hacker Using Components with Known Vulnerabilities Attacker can exploit vulnerable component to gain access to system Attacker can do data loss and also perform server takeover. Unvalidated Redirects and Forwards Attacker can redirects victims to phishing sites Attacker can redirects victims to phishing or malware sites or use forwards to access unauthorized pages
    23. 23. DEMO OWASP Top 10 Threats (Project: WebGoat)
    24. 24. Industry Gap Security Professional Application Developers and QA “As a Network Security Professional, I don’t know how my companies web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.” “As an Application Developer, I can build/test great features and functions while meeting deadlines, but I don’t know how to develop/test my web application with security as a feature.”
    25. 25. Bridging The Gap-Step by Step • • • • • Prioritize application security as important non functional requirement Improve awareness of application security in developers and QAs. Incorporate security in SDLC. Define clear role and responsibility towards application security Promote Penetration testing of application
    26. 26. Microsoft Security Development Lifecycle Education Administer and track security training Process Guide product teams to meet SDL requirements Accountability Establish release criteria and sign-off as part of FSR Ongoing Process Improvements Incident Response (MSRC)
    27. 27. Measurable results: Microsoft SDL and Windows 400 Total Vulnerabilities Disclosed One Year After Release 242 157 119 66 Windows XP Before SDL Windows Vista OS I After SDL 45% reduction in Vulnerabilities Source: Windows Vista One Year Vulnerability Report, Microsoft Security Blog 23 Jan 2008 OS II OS III
    28. 28. Measurable results: Microsoft SDL and SQL Server 187 Total Vulnerabilities Disclosed 36 Months After Release 34 3 SQL Server 2000 Before SDL 91% reduction in Vulnerabilities Sources: Analysis by Jeff Jones (Microsoft technet security blog) SQL Server 2005 After SDL Competing commercial DB
    29. 29. DEMO Microsoft Security Assessment Tool 4.0
    30. 30. Resources • OWASP (Open Web Application Security Project): • Microsoft Security: • Wikipedia:
    31. 31. Lalit Kale . This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation.