Your SlideShare is downloading. ×
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Developing Secure Applications and Defending Against Common Attacks

5,014

Published on

Make sure you’re defending against the most common web security issues and attacks with this useful overview of software development best-practices. We'll go over the most common attacks against web …

Make sure you’re defending against the most common web security issues and attacks with this useful overview of software development best-practices. We'll go over the most common attacks against web applications and present real world advice for defending yourself against these types of attacks.

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,014
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. DEVELOPING SECURE APPLICATIONS AND DEFENDING AGAINST ATTACKS Andy Steingruebl, Manager, Information Risk Management
  • 2. AGENDA
    • Introduction
    • Top Web Application Attacks
    • Secure Development Techniques
    • Tips for Security with PayPal Products
  • 3. WHEN SECURITY FAILS
  • 4. TYPICAL SECURITY MEASURES IN A BANK
  • 5. AGENDA
    • Introduction
    • Top Web Application Attacks
    • Secure Development Techniques
    • Tips for Security with PayPal Products
  • 6. THE PROBLEM OF SECURITY
    • Large and complex systems interact to make perfect security impossible.
    • New vulnerabilities are discovered almost every day.
    • Authorized users misuse access.
  • 7. A BRIEF HISTORY OF SECURITY ISSUES 1994 Amazon 1995 Yahoo! 1998 Google 2005 YouTube
  • 8. OPEN WEB APPLICATION SECURITY PROJECT (OWASP) TOP 10
    • Cross Site Scripting (XSS)
    • Injection flaws
    • Malicious file execution
    • Insecure direct object reference
    • Cross Site Request Forgery (CSRF)
    • Information leakage and improper error handling
    • Broken authentication and session management
    • Insecure cryptographic storage
    • Insecure communications
    • Failure to restrict URL access
    Source: http://www.owasp.org/index.php/Top_10_2007
  • 9. WEB APPLICATION SECURITY CONSORTIUM (WASC) THREAT CLASSIFICATION
    • The threat classification is an effort to classify the weaknesses and attacks that can lead to the compromise of a website, its data, or its users.
    Found at http://www.webappsec.org/projects/threat/
  • 10. CROSS SITE SCRIPTING (XSS)
    • What if <iframe src=&quot;http://en.wikipedia.com&quot; height=&quot;1180&quot; width=&quot;100%&quot;></iframe> was somebody’s name?
  • 11. CROSS SITE SCRIPTING (XSS)
    • XSS Code allows an attacker to:
      • Exploit the user’s trust for a web site
      • Make requests using victim’s credentials
      • Alter the website (phishing attacks)
      • Track user activity
      • Hijack a user’s session
      • Provide an attack vector used by web focused worms
  • 12. XSS MITIGATION
    • Output filtering
      • Encode fields to escape HTML in output (HTML entity encoding)
      • Use context-appropriate encoding
    • Input validation
      • Don’t trust user input
      • Validate using a white list
    • Cookie security flags
      • HTTP only
      • Secure (not an XSS protection, but still a good idea)
  • 13. CROSS SITE REQUEST FORGERY (CSRF)
    • Takes advantage of a website’s trust of a user
    • Example: A user is sent an email with an image link. When they load the email, it tries to load an image.
      • <image src=“https://www.yourbank.com/ tranfer_money?to=attacker_account& amount=1000”>
  • 14. CSRF MITIGATION
    • Use CSRF tokens.
    • Tokens must be associated with the user’s session.
    • The combination of cookie and token must be unique and received within a specific window of time.
      • OR
    • Require users to re-authenticate before performing sensitive transactions.
  • 15. SQL INJECTION
    • Flaw when SQL statements are formed by string concatenation
    • statement = &quot;SELECT * FROM users WHERE name = '&quot; + userName + &quot;'&quot;;
    • What if the user enters: &quot;' or 'x'='x&quot; ?
    Source: http://xkcd.com/327/
  • 16. MITIGATING SQL INJECTION
    • Validate all input parameters accepted by the web application.
    • Create SQL queries in a secure manner.
      • Like PreparedStatement or CallableStatement
    • Parameterized queries are not vulnerable to most types of SQL injection attacks.
  • 17. ATTACKING LOGIN FUNCTIONALITY
    • Typical attacks against login functionality
      • Username enumeration
      • Password guessing
      • Brute-force attacks
      • Authentication mechanism attack
        • For example, ‘Basic Web Server Authentication’ is really a Base64 encoded username/password passed in headers without encryption Authorization: Basic RG9udFVzZVRoaXNQYXNzd29yZA==
  • 18. MITIGATING LOGIN ATTACKS
    • Develop generic error messages.
    • Enforce account lockout after failed log in attempts.
    • Implement account lockout until reset.
    • Make sure account lockout triggers notification.
    • Implement server-side enforcement of password syntax and strength.
  • 19. COMMON SHOPPING CART ATTACKS
    • Price tampering
    • Fake referrer header attack
  • 20. PRICE TAMPERING
    • One of the oldest web attacks
    • Defense is fairly straightforward
    • Store price information in server-side state
    • Employ effective controls during shipping processes
    • Recommended PayPal Products include Website Payments Standard saved buttons and Express Checkout
  • 21. REFERER HEADER ATTACKS
    • Do not rely on HTTP REFERER header for security decisions.
    • REFERER can be tampered with by the end user.
    • For instant-fulfillment requirements, we strongly recommend PayPal Express Checkout.
    • If you use Website Payments Standard, make sure to confirm payments before delivering goods to the customer.
  • 22. APPLICATION SECURITY TESTING
    • The simplest application security testing tools are client-side proxies
      • Burp
      • Paros
      • Fiddler
      • WebScarab
    • Browser plug-ins can also help
      • Tamper Data
      • HttpWatch
    • Free, commercial tools exist to automate security testing
      • AppScan
      • WebInspect
  • 23. APPLICATION SECURITY TESTING (CONT’D) Tools help developers and testers debug HTTP/HTTPS traffic and help identify potential vulnerabilities like XSS, CSRF, and so on.
  • 24. AGENDA
    • Introduction
    • Top Web Application Attacks
    • Secure Development Techniques
    • Tips for Security with PayPal Products
  • 25. APPLICATION SECURITY AND SDLC
    • “ 70% of security vulnerabilities exist at the application layer, not the network layer. The most damaging targeted attacks have focused on vulnerabilities in web applications and custom developed software.”
      • Gartner
    • “ The only people who can solve software security are the builders.”
    • Gary McGraw, “Building Secure Software”
    • “ The cost of removing an application security vulnerability during the design/development phase ranges from 30-60 times less than if removed during production.”
      • NIST, IBM, and Gartner
    Several standards and regulatory compliance requirements directly or indirectly mandate the need for application security controls - PCI DSS, ISO 17799/27001, SOX, GLBA, etc.
  • 26. SECURITY IN SDLC
    • Ensure that both design and implementation security-related bugs don’t get released into production.
    Security in SDLC
  • 27. WHY BEST PRACTICES?
    • Why best practices?
      • Can make code easier to read and less ambiguous
      • Solves some problems
      • More robust in the face of change
      • Reduces the likelihood of common flaws
      • Dangerous areas are clearly marked
    • Secure development can benefit from checklists
      • Did I make sure to check for error conditions?
      • Did I make sure I avoided banned behaviors?
      • Did I make sure I tested for the right things?
  • 28. COMPUTER EMERGENCY RESPONSE TEAM (CERT) SECURE CODING BEST PRACTICES
    • Validate input.
    • Heed compiler warnings.
    • Architect and design for security policies.
    • Keep it simple.
    • Default deny.
    • Adhere to the principle of least privilege.
    • Sanitize data sent to other systems (or modules/components) with output filtering.
    • Practice defense in depth.
    • Use effective quality assurance techniques.
    • Adopt a secure coding standard.
    https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
  • 29. INPUT VALIDATION
    • BELIEVE IN NOTHING!!
      • Everything that comes from the user/browser is not to be trusted.
    • Form values
      • Including “hidden”
    • HTTP headers
      • Including cookies, referrer value
    • Environment variables (for CGI scripts)
    • How to validate and what to do with bad input?
  • 30. MORE SECURITY BEST PRACTICES
    • Don’t store passwords in the source code.
    • Don’t try to invent your own encryption algorithm.
    • Don’t hard-code keys used for encryption or signing.
    • Configure and patch your web servers and application servers securely.
    • Don’t use insecure APIs.
  • 31. AGENDA
    • Introduction
    • Top Web Application Attacks
    • Secure Development Techniques
    • Tips for Security with PayPal Products
  • 32. SECURITY WITH PayPal PRODUCTS
    • Always use HTTPS when talking to PayPal.
    • Always integrate with web flows and APIs using POST, not GET.
    • Always integrate with PayPal using an HTTP(s) library, not raw sockets.
      • Pay attention to HTTP(s) error codes
    • Validate IPNs properly.
    • Use saved or encrypted Website Payments Standard buttons to prevent tampering attacks.
    • Don’t rely on the referrer header during a checkout flow to assume a person has been paid.
  • 33. CONCLUDING THOUGHTS
    • Be careful about handling input to your application.
    • Stay current on security vulnerabilities.
    • Harden your servers, frameworks, and applications and keep them up to date.
    • By following best practices, your applications will be both more robust and more secure.
  • 34. MORE INFORMATION
    • Websites
      • The Open Web Application Security Project ( http://www.owasp.org )
      • The Web Application Security Consortium ( http://www.webappsec.org/)
      • Security Focus ( http://www.securityfocus.com )
    • Online Documents & Books
      • Writing Secure Code 2nd Edition by Howard and LeBlanc
      • Improving Web Application Security: Threats and Countermeasures ( http://www.microsoft.com/downloads/details.aspx?FamilyId=E9C4BFAA-AF88-4AA5-88D4-0DEA898C31B9&displaylang=en )
  • 35. LEARN AND SHARE
    • www.x.com
    • Twitter:  @paypalx
    • www.facebook.com/paypalx
    • Innovate 09 hashtag:  #ppxi09
    LEARN AND SHARE www.x.com Twitter: @paypalx www.facebook.com/paypalx Innovate 09 hashtag: # ppxi09 Proprietary

×