Self Defending Applications
Upcoming SlideShare
Loading in...5
×
 

Self Defending Applications

on

  • 684 views

Applications are constantly under attack. Unfortunately, nearly all applications have no capability of detecting an attacker or responding before a breach occurs. Those applications sit passively and ...

Applications are constantly under attack. Unfortunately, nearly all applications have no capability of detecting an attacker or responding before a breach occurs. Those applications sit passively and allow the attacker to constantly unleash attack after attack. Let's change the game and equip our application with the resources to detect an attack with high accuracy and respond in real time to prevent a compromise by eliminating the threat from the system.

In this talk we'll cover the OWASP AppSensor project – a project that details how to instrument an application to become attack aware and immediately respond to neutralize threats.  This project is backed by multiple talented security experts that have been advancing the project for the past three years. AppSensor has been featured in the Department of Defense Cross Talk journal, presented at the US Department of Homeland Security resilient software conference and at security conferences around the world.

Statistics

Views

Total Views
684
Views on SlideShare
539
Embed Views
145

Actions

Likes
1
Downloads
9
Comments
0

5 Embeds 145

https://twitter.com 130
http://static.usrfiles.com 6
http://oscaroviedo13.wix.com.usrfiles.com 5
http://htmlcomponentservice.appspot.com 2
http://www.slideee.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • http://www.hpenterprisesecurity.com/ponemon-2013-cost-of-cyber-crime-study-reportshttps://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdfhttp://www.symantec.com/about/news/release/article.jsp?prid=20131001_01
  • Datalossdb.org – 48% from hacking, 8% fraud, 7% stolen laptopVerizon DBR – 52% involved hacking

Self Defending Applications Self Defending Applications Presentation Transcript

  • Creating Self Defending Applications to Repel Attackers Michael Coates @_mwc
  • • Chairman OWASP Board • Shape Security: Director of Product Security Background – 12 years of security adventures • Built and lead security program protecting 450 million Firefox users & Mozilla systems • Secured code processing millions of dollars daily • Bypassed electronic voting systems • Defended fortune 100 global network • Infiltrated telco for mobile networks in Asia and Middle east • “Talked” my way into bank server rooms & to obtain user passwords @_mwc
  • Billion Dollar Cybercrime ~US $350 Billion – Global Drug Trafficking Estimates US $170 Billion – Apple Annual Revenue 2013 US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP) US $469 Billion – Walmart Annual Revenue 2013 US $95 Billion – Morocco 2012 Gross Domestic Product (GDP) US $112 Billion – Hewlett-Packard Annual Revenue 2013 US $104 Billion – Honda Annual Revenue 2012
  • Billion Dollar Cybercrime ~US $350 Billion – Global Drug Trafficking Estimates US $170 Billion – Apple Annual Revenue 2013 US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP) US $469 Billion – Walmart Annual Revenue 2013 US $95 Billion – Morocco 2012 Gross Domestic Product (GDP) US $112 Billion – Hewlett-Packard Annual Revenue 2013 US $104 Billion – Honda Annual Revenue 2012 US $113 Billion – Global price tag of consumer cybercrime
  • Cost of Security • Cybercrime cost to companies – 26% increase 2012 to 2013 • Cybercrime cost to individual – 50% increase 2012 to 2013 • Cost per breached record to company – Average US $136
  • Largest Single Culprit : Hacking Verizon Data Breach Report 20132013 Incidents by Breach Type datalossdb.org 48% from Hacking 52% involved Hacking
  • Opportunistic Scanners • Scan web for common vulnerabilities • Highly leverage automation • Often untargeted 75% Attacks Opportunistic Verizon Data Breach Report 2013
  • Underground Market Prices 2013 Dell SecureWorks USD Visa, American Express, Discover $4-$8 Credit Card with track 1 and 2 data $12 Full user information $25 1,000 Infected Computers $20 DDOS Attacks (per hour) $3-$5
  • The Objective • Protect the most critical data • Handle known and unknown attacks • Identify attackers before compromise • Automated – no humans needed
  • Critical Data Applications stored & allow access to critical data – by design Name Email Address Credit Card Bank Information Medical Information Purchase History Affiliations …
  • Gut Check Current Defenses Are Failing • Custom code • unique vulnerabilities -> tailored patches • Unrealistic defensive postures • Signatures only protect against last generic attack • Human required interaction is too slow • Valid signals are lost / ignored • Attackers constantly probe and attack applications without deterrence
  • Self Defending Applications The Attacker
  • Attack Points: Requests, Auth, Session
  • Attack Points: Access Control
  • Attack Points: Input Validation
  • Attack Points: Business Logic
  • Self Defending Applications In The Code
  • Attack Exposure
  • Defend with: Detection Points
  • Detecting Attacks • 50+ attack detection points and growing • Signature & Behavioral • Many have nearly zero false positive rate – Can’t be encountered accidentally by user – POST vs Get – ‘ OR ‘1’=‘1’ http://www.owasp.org/index.php/AppSensor_DetectionPoints
  • Centralize Attack Detection Knowledge • Detection Points Report to Central Location • AppSensor Integrates w/User Store • Enables Response Actions against User Object
  • Detect & Eliminate Threat • Strong control of authenticated portion – Lockout user – Disable account • Effective attack reporting for unauthenticated portion
  • App Defense Eliminates Threats
  • App Defense Eliminates Threats Block attacker & minimize threat
  • Humans & Automation • Detection Points – Human driven attacks • Trend Analysis – Automated driven attacks
  • Human Driven
  • Automated
  • Attack Aware Resources • Cross Talk Sept, 2011 - crosstalkonline.org • Software Assurance - buildsecurityin.us-cert.gov/swa/attackaware.html
  • Alternatives? • Self Defending – in the app, full user object interaction, full app knowledge • Web Application Firewall (stand alone) – generic attack detection • Log Analysis – slow, reactive, ineffective, ignored
  • Self Defending Applications In The Lifecycle & Organization
  • Threat Modeling – Identify critical business functionality – Capture abuse cases – Define detection methods
  • Example • Grant Permission Page site.com/UpdatePermission – Inputs: • targetUser - Integer • grantPerm - Integer (1,2,3) (Read, Write Delete) – Access Control Requirement: • Page Access: Power User • Functionality Access: Power User • Target User: Non-admin
  • Abuse Cases • Non-integer submitted for targetUser • Invalid number submitted for grantPerm • Force browsing to page from unauthorized account (HTTP GET) • Force submission to page from unauthorized account (HTTP Post) • Target user is admin account • Unexpected rate of use (100 perm changes in 10 seconds?)
  • Risk Analysis • Tolerance for Fraud & Abuse • Define Acceptable Response – Alert Admins – Logout / Lock Accounts – Limit Functionality
  • Response Options
  • Timing & Flow Attack Detection PointsCommon Attack Vectors Design Requirement s Threat Modeling Unique App Attack Vectors Risk Analysis Response Policy/Pla n Response Capabilitie s
  • Organization Support Who Action Architects, Developers, Biz Owners, Security SMEs Threat Modeling, Determine Detection Points Biz Owners, Architects, Security SMEs Determine Response Actions Architects, Security SMEs Design Response Architecture Operations Team, Security SMEs System Communication for Detection Logging & Response Developers, Security SMEs Implement Detection Point & Response Code Monitoring Team, Security SMEs Define monitoring thresholds, alerting/action requirements
  • Self Defending Applications Live Implementations
  • Common Event Format (CEF) • Emerging standard on logging format • Easily parsed by security integration manager (sim) • Enables AppSensor Logging CEF:0|Mozilla|MozFooApp|1.0 |ACE0|Access Control Violation|8|rt=01 31 2010 18:30:01 suser=janedoe suid=55 act=Action Denied src=1.2.3.4 dst=2.3.4.5 requestMethod=POST request=http://foo.mozilla.org/foo/abc.php?a=b cs1Label=requestClientApplication cs1=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2 msg=Additional Data here
  • SIM Deployment
  • Full Stack Knowledge • Application Layer - Custom attack / abuse notification • Network Layer - IDS activity, firewall failures • OS Layer - OS commands (AuditD), System event logs
  • Data Analysis Failed Captcha on Create User Account Created User Authentication Failed
  • Trend Analysis
  • Top Users Failing Auth within Application
  • App Use Mapping Operation IP Address Account
  • Auth Failed New Account Change Password
  • 1 IP Address, Multiple Users Auth Fail, New Account acct1 - pw change acct 2 - auth failed
  • Summary Self Defending Applications: • Detect Malicious Activity in Critical Apps • Enable Immediate Response • Prevent/Limit Compromise • Require Organization Support
  • AppSensor Project • AppSensor: Version 2 of Book • Sub-project: Preventing Automated Attacks – owasp.org/index.php/OWASP_AppSensor_Project/PAA – Evaluating current approaches, costs & efficacy • CAPTCHA, IP Blocking, Reputation, Human Analysis, etc • Join Us! – owasp.org/index.php/Category:OWASP_AppSensor_Project – owasp-appsensor-project@lists.owasp.org
  • Questions? @_mwc michael.coates@owasp.org