Application Security

316
-1

Published on

* Brief timeline on cyber attack history
* Definition
* Foundations of Security
* Definition of Terms
* Threat Modeling
* Application Vulnerability Categories
* Core Security Principles
* Web Application Security
* Risks and Risk Mitigation/Control Measures

Published in: Internet
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
316
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Application Security

  1. 1. Application SecurityApplication Security Reggie SantosReggie Santos UP ITDCUP ITDC
  2. 2. OutlineOutline Brief timeline on cyber attack historyBrief timeline on cyber attack history DefinitionDefinition Foundations of SecurityFoundations of Security Definition of TermsDefinition of Terms Threat ModelingThreat Modeling
  3. 3. OutlineOutline Application Vulnerability CategoriesApplication Vulnerability Categories Core Security PrinciplesCore Security Principles Web Application SecurityWeb Application Security Risks and Risk Mitigation/Control MeasuresRisks and Risk Mitigation/Control Measures ReferencesReferences
  4. 4. The number of variants of malicious software aimed at mobile devicesThe number of variants of malicious software aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or about 185% in lesshas reportedly risen from about 14,000 to 40,000 or about 185% in less than a year – Government Accountability Office (GAO), US (2012)than a year – Government Accountability Office (GAO), US (2012)
  5. 5. SecuritySecurity Fundamentally about protecting assetsFundamentally about protecting assets AssetsAssets Tangible items such as a Web page or yourTangible items such as a Web page or your customer databasecustomer database Less tangible items such as the company’sLess tangible items such as the company’s reputationreputation
  6. 6. SecuritySecurity AA pathpath, not a destination, not a destination As you analyze your infrastructure and applications,As you analyze your infrastructure and applications, youyou identify potential threatsidentify potential threats and understand thatand understand that each threat presents aeach threat presents a degree of riskdegree of risk AboutAbout risk managementrisk management and implementingand implementing effective countermeasureseffective countermeasures
  7. 7. Foundations of SecurityFoundations of Security AuthenticationAuthentication Addresses the question:Addresses the question: “who are you?”“who are you?” Process ofProcess of uniquely identifying the clientsuniquely identifying the clients of yourof your applications and servicesapplications and services Might be end-users, other services, processes, orMight be end-users, other services, processes, or computerscomputers Authenticated clients are referred to asAuthenticated clients are referred to as principalsprincipals
  8. 8. Foundations of SecurityFoundations of Security AuthorizationAuthorization Addresses the question:Addresses the question: “what can you do?”“what can you do?” Process that governs the resources and operationsProcess that governs the resources and operations that the authenticated client isthat the authenticated client is permitted topermitted to accessaccess
  9. 9. Foundations of SecurityFoundations of Security AuthorizationAuthorization ResourcesResources include files, databases, tables, rows, and soinclude files, databases, tables, rows, and so on, together with system-level resources such as registryon, together with system-level resources such as registry keys and configuration datakeys and configuration data OperationsOperations include performing transactions such asinclude performing transactions such as purchasing a product, transferring money from onepurchasing a product, transferring money from one account to another, or increasing a customer's creditaccount to another, or increasing a customer's credit ratingrating
  10. 10. Foundations of SecurityFoundations of Security ConfidentialityConfidentiality PrivacyPrivacy Process of making sure that data remainsProcess of making sure that data remains privateprivate andand confidentialconfidential, and that it cannot be viewed by, and that it cannot be viewed by unauthorized users or eavesdroppers who monitorunauthorized users or eavesdroppers who monitor the flow of traffic across a networkthe flow of traffic across a network
  11. 11. Foundations of SecurityFoundations of Security ConfidentialityConfidentiality EncryptionEncryption is frequently used to enforceis frequently used to enforce confidentialityconfidentiality DES (Data Encryption Standard), RSA, HASH,DES (Data Encryption Standard), RSA, HASH, MD5, AES (Advanced Encryption Standard), SHA-MD5, AES (Advanced Encryption Standard), SHA- 1, HMAC, Blowfish1, HMAC, Blowfish Access control lists (Access control lists (ACLsACLs) are another means) are another means
  12. 12. Foundations of SecurityFoundations of Security IntegrityIntegrity Guarantee that data isGuarantee that data is protectedprotected from accidentalfrom accidental or deliberate (malicious) modificationor deliberate (malicious) modification Integrity for data in transit is typically provided byIntegrity for data in transit is typically provided by usingusing hashing techniqueshashing techniques andand messagemessage authentication codesauthentication codes
  13. 13. Foundations of SecurityFoundations of Security AvailabilityAvailability Systems remain available for legitimate usersSystems remain available for legitimate users
  14. 14. Definition of TermsDefinition of Terms ThreatThreat Any potential occurrence, malicious or otherwise,Any potential occurrence, malicious or otherwise, thatthat could harm an assetcould harm an asset
  15. 15. Definition of TermsDefinition of Terms VulnerabilityVulnerability WeaknessWeakness that makes a threat possiblethat makes a threat possible May be because of poor design, configurationMay be because of poor design, configuration mistakes, or inappropriate and insecure codingmistakes, or inappropriate and insecure coding techniquestechniques e.g. lack of or improper input validatione.g. lack of or improper input validation
  16. 16. Definition of TermsDefinition of Terms AttackAttack Action thatAction that exploits a vulnerabilityexploits a vulnerability oror enacts aenacts a threatthreat e.g. sending malicious input to an applicatione.g. sending malicious input to an application e.g. flooding a network in an attempt to denye.g. flooding a network in an attempt to deny serviceservice
  17. 17. Threat ModelingThreat Modeling Recommended to form part of your application'sRecommended to form part of your application's design phasedesign phase Analyzes your application's architecture and designAnalyzes your application's architecture and design andand identify potentially vulnerable areasidentify potentially vulnerable areas thatthat may allow a user, perhaps mistakenly, or an attackermay allow a user, perhaps mistakenly, or an attacker with malicious intent, to compromise your system'swith malicious intent, to compromise your system's securitysecurity
  18. 18. Application SecurityApplication Security Use of software, hardware, and procedural methodsUse of software, hardware, and procedural methods toto protect applications from external threatsprotect applications from external threats
  19. 19. Application VulnerabilityApplication Vulnerability CategoriesCategories Input ValidationInput Validation How your applicationHow your application filters, scrubs, or rejectsfilters, scrubs, or rejects inputinput before additional processingbefore additional processing
  20. 20. Application VulnerabilityApplication Vulnerability CategoriesCategories AuthenticationAuthentication "Who are you?""Who are you?" Process where anProcess where an entity proves the identity ofentity proves the identity of another entityanother entity, typically through credentials, such, typically through credentials, such as a username and passwordas a username and password
  21. 21. Application VulnerabilityApplication Vulnerability CategoriesCategories AuthorizationAuthorization "What can you do?""What can you do?" How your applicationHow your application provides access controlsprovides access controls for resources and operationsfor resources and operations
  22. 22. Application VulnerabilityApplication Vulnerability CategoriesCategories Configuration ManagementConfiguration Management Who does your application run as?Who does your application run as? Which databases does it connect to?Which databases does it connect to?
  23. 23. Application VulnerabilityApplication Vulnerability CategoriesCategories Configuration ManagementConfiguration Management How is your application administered?How is your application administered? How are these settings secured?How are these settings secured? How your application handles these operationalHow your application handles these operational issuesissues
  24. 24. Application VulnerabilityApplication Vulnerability CategoriesCategories Sensitive DataSensitive Data How your applicationHow your application handles any data thathandles any data that must be protectedmust be protected eithereither in memory,in memory, over the wire, or inover the wire, or in persistent storespersistent stores
  25. 25. Application VulnerabilityApplication Vulnerability CategoriesCategories Session ManagementSession Management SessionSession Series of related interactions between a user andSeries of related interactions between a user and your web applicationyour web application How your application handles and protects theseHow your application handles and protects these interactionsinteractions
  26. 26. Application VulnerabilityApplication Vulnerability CategoriesCategories CryptographyCryptography How are your keeping secrets, secret (How are your keeping secrets, secret (confidentialityconfidentiality)?)? How are you tamperproofing your data or libraries (How are you tamperproofing your data or libraries (integrityintegrity)?)? How are you providingHow are you providing seeds for random valuesseeds for random values that mustthat must be cryptographically strong?be cryptographically strong? How your application enforces confidentiality and integrityHow your application enforces confidentiality and integrity
  27. 27. Application VulnerabilityApplication Vulnerability CategoriesCategories Parameter ManipulationParameter Manipulation Form fields, query string arguments,Form fields, query string arguments, andand cookie valuescookie values are frequently used as parametersare frequently used as parameters for your applicationfor your application How your application safeguards tampering ofHow your application safeguards tampering of these values and how your application processesthese values and how your application processes input parametersinput parameters
  28. 28. Application VulnerabilityApplication Vulnerability CategoriesCategories Exception ManagementException Management When a method call in your application fails, whatWhen a method call in your application fails, what does your application do?does your application do? How much do you reveal?How much do you reveal?
  29. 29. Application VulnerabilityApplication Vulnerability CategoriesCategories Exception ManagementException Management Do you return friendly error information to end-Do you return friendly error information to end- users?users? Do you pass valuable exception information back toDo you pass valuable exception information back to the caller?the caller? How does your application fail gracefully?How does your application fail gracefully?
  30. 30. Application VulnerabilityApplication Vulnerability CategoriesCategories Auditing and LoggingAuditing and Logging ““Who did what and when?”Who did what and when?” How your application records security-relatedHow your application records security-related eventsevents
  31. 31. Core Security PrinciplesCore Security Principles CompartmentalizeCompartmentalize Reduce the surface area of attackReduce the surface area of attack Ask yourself how you will contain a problemAsk yourself how you will contain a problem If an attacker takes over your application, whatIf an attacker takes over your application, what resources can he or she access?resources can he or she access? Can an attacker access network resources?Can an attacker access network resources?
  32. 32. Core Security PrinciplesCore Security Principles CompartmentalizeCompartmentalize How are you restricting potential damage?How are you restricting potential damage? ExamplesExamples FirewallsFirewalls Least privileged accountsLeast privileged accounts Least privileged codeLeast privileged code
  33. 33. Core Security PrinciplesCore Security Principles Use least privilegeUse least privilege By running processes usingBy running processes using accounts withaccounts with minimal privileges and access rightminimal privileges and access rights, yous, you significantly reduce the capabilities of an attacker ifsignificantly reduce the capabilities of an attacker if the attacker manages to compromise security andthe attacker manages to compromise security and run coderun code
  34. 34. Core Security PrinciplesCore Security Principles Apply defense in depthApply defense in depth UseUse multiple gatekeepersmultiple gatekeepers to keep attackers atto keep attackers at baybay Do not rely on aDo not rely on a singlesingle layer of securitylayer of security Consider that one of your layers may beConsider that one of your layers may be bypassedbypassed or compromisedor compromised
  35. 35. Core Security PrinciplesCore Security Principles Do not trust user inputDo not trust user input Your application's user input is theYour application's user input is the attacker'sattacker's primary weaponprimary weapon when targeting your applicationwhen targeting your application Assume all input is malicious until proven otherwiseAssume all input is malicious until proven otherwise
  36. 36. Core Security PrinciplesCore Security Principles Check at the gateCheck at the gate Authenticate and authorize callers early at the firstAuthenticate and authorize callers early at the first gategate
  37. 37. Core Security PrinciplesCore Security Principles Fail securelyFail securely If an application fails, do not leave sensitive dataIf an application fails, do not leave sensitive data accessibleaccessible Return friendly errors to end-users that do not exposeReturn friendly errors to end-users that do not expose internal system detailsinternal system details Do not include details that may help an attackerDo not include details that may help an attacker exploit vulnerabilities in your applicationexploit vulnerabilities in your application
  38. 38. Core Security PrinciplesCore Security Principles Secure the weakest linkSecure the weakest link Is there a vulnerability at the network layer that an attackerIs there a vulnerability at the network layer that an attacker can exploit?can exploit? What about the host?What about the host? Is your application secure?Is your application secure? Any weak link in the chain is an opportunity for breachedAny weak link in the chain is an opportunity for breached securitysecurity
  39. 39. Core Security PrinciplesCore Security Principles Create secure defaultsCreate secure defaults Is the default account set up with the least privilege?Is the default account set up with the least privilege? Is the default account disabled by default and then explicitlyIs the default account disabled by default and then explicitly enabled when required?enabled when required? Does the configuration use a password in plain text?Does the configuration use a password in plain text? When an error occurs, does sensitive information leak back toWhen an error occurs, does sensitive information leak back to the client to be used potentially against the system?the client to be used potentially against the system?
  40. 40. Core Security PrinciplesCore Security Principles Reduce your attack surfaceReduce your attack surface If you do not use it, remove it or disable itIf you do not use it, remove it or disable it Reduce the surface area of attack by disabling orReduce the surface area of attack by disabling or removing unused services, protocols, and functionalityremoving unused services, protocols, and functionality Does your server need all those services and ports?Does your server need all those services and ports? Does your application need all those features?Does your application need all those features?
  41. 41. Application SecurityApplication Security Aims to identify:Aims to identify: TheThe critical assetscritical assets of the organizationof the organization Genuine usersGenuine users who may access the datawho may access the data Level of accessLevel of access provided to each userprovided to each user
  42. 42. Application SecurityApplication Security Aims to identify:Aims to identify: VariousVarious vulnerabilitiesvulnerabilities that may exist in thethat may exist in the applicationapplication Data criticality and risk analysisData criticality and risk analysis on dataon data exposureexposure AppropriateAppropriate remediation measuresremediation measures
  43. 43. Controls/Risk MitigationControls/Risk Mitigation MeasuresMeasures Implement a Software Development Lifecycle (Implement a Software Development Lifecycle (SDLCSDLC)) AddAdd securitysecurity attributes to your SDLCattributes to your SDLC Performing thePerforming the rightright activitiesactivities QualifiedQualified personnelpersonnel
  44. 44. Controls/Risk MitigationControls/Risk Mitigation MeasuresMeasures EnlistEnlist QAQA for basic application security holesfor basic application security holes SSLSSL (Secure Sockets Layer)(Secure Sockets Layer) App-specific PKIApp-specific PKI (Public Key Infrastructure)(Public Key Infrastructure) Input sanitizationInput sanitization
  45. 45. Controls/Risk MitigationControls/Risk Mitigation MeasuresMeasures StandardsStandards CWECWE Common Weakness EnumerationCommon Weakness Enumeration http://cwe.mitre.orghttp://cwe.mitre.org CADECCADEC Common Attack Pattern Enumeration and ClassificationCommon Attack Pattern Enumeration and Classification http://capec.mitre.orghttp://capec.mitre.org
  46. 46. Controls/Risk MitigationControls/Risk Mitigation MeasuresMeasures Application Firewalls (e.g.Application Firewalls (e.g. WAFWAF)) Inspects all traffic flowing to the web application forInspects all traffic flowing to the web application for common web application attackscommon web application attacks Add your solution to your asset inventory andAdd your solution to your asset inventory and configuration assessment tasksconfiguration assessment tasks
  47. 47. Controls/Risk MitigationControls/Risk Mitigation MeasuresMeasures Against Cross-site Scripting Attacks (Against Cross-site Scripting Attacks (XSSXSS)) AgainstAgainst SQL injectionSQL injection attacksattacks AgainstAgainst command injectioncommand injection attacksattacks AgainstAgainst directory traversaldirectory traversal attacksattacks
  48. 48. Controls/Risk MitigationControls/Risk Mitigation MeasuresMeasures Explicit error checkingExplicit error checking should be done for all inputshould be done for all input Implement thoroughImplement thorough input validationinput validation
  49. 49. Controls/Risk MitigationControls/Risk Mitigation MeasuresMeasures Whenever a variable is created in source code, the size andWhenever a variable is created in source code, the size and type should be determinedtype should be determined Guard againstGuard against overflowsoverflows Buffer overflowsBuffer overflows Integer overflowsInteger overflows Perform the checks usingPerform the checks using code reviews,code reviews, andand static andstatic and runtime analysisruntime analysis
  50. 50. Controls/Risk MitigationControls/Risk Mitigation MeasuresMeasures When input is provided by the user, it should beWhen input is provided by the user, it should be verified that it does not exceed the size or the dataverified that it does not exceed the size or the data type of the memory location in which it is stored ortype of the memory location in which it is stored or moved in the futuremoved in the future Can be mitigated against through fCan be mitigated against through formalizedormalized SDLC with good code-review and automatedSDLC with good code-review and automated analysisanalysis
  51. 51. Controls/Risk MitigationControls/Risk Mitigation MeasuresMeasures Test in-house-developed web applications forTest in-house-developed web applications for common security weaknesses using automatedcommon security weaknesses using automated remote web application scanners prior to deploymentremote web application scanners prior to deployment ThroughThrough penetration testingpenetration testing
  52. 52. Controls/Risk MitigationControls/Risk Mitigation MeasuresMeasures Test in-house-developed web applications forTest in-house-developed web applications for common security weaknesses using automatedcommon security weaknesses using automated remote web application scanners whenever updatesremote web application scanners whenever updates are made to the applicationare made to the application Regression testing for security issuesRegression testing for security issues
  53. 53. Controls/Risk MitigationControls/Risk Mitigation MeasuresMeasures System error messages should not be displayed to end-usersSystem error messages should not be displayed to end-users ((output sanitizationoutput sanitization)) SimpleSimple data leakage mitigationdata leakage mitigation Can be troublesome for your support groupCan be troublesome for your support group If need be, create anIf need be, create an error code mappingerror code mapping from thefrom the plaform/internals to something you can share with an end-plaform/internals to something you can share with an end- user who will likely call support at some point anywayuser who will likely call support at some point anyway
  54. 54. Controls/Risk MitigationControls/Risk Mitigation MeasuresMeasures Organizations should understand how theirOrganizations should understand how their applications behave underapplications behave under denial of servicedenial of service attacksattacks Test your service for load and have an executableTest your service for load and have an executable plan in place for when something goes wrongplan in place for when something goes wrong Organizations should understand how theirOrganizations should understand how their applications behave underapplications behave under resource exhaustionresource exhaustion attacksattacks
  55. 55. Controls/Risk MitigationControls/Risk Mitigation MeasuresMeasures MaintainMaintain separate environmentsseparate environments for production andfor production and non-production systemsnon-production systems Developers should not typically haveDevelopers should not typically have unmonitoredunmonitored access to production environmentsaccess to production environments
  56. 56. Controls/Risk MitigationControls/Risk Mitigation MeasuresMeasures Test in-house-developed/third-party web and otherTest in-house-developed/third-party web and other application software forapplication software for coding errors andcoding errors and malware insertionmalware insertion prior to deploymentprior to deployment
  57. 57. SummarySummary Brief timeline on cyber attack historyBrief timeline on cyber attack history DefinitionDefinition Foundations of SecurityFoundations of Security AuthenticationAuthentication AuthorizationAuthorization AuditingAuditing
  58. 58. SummarySummary Foundations of SecurityFoundations of Security ConfidentialityConfidentiality IntegrityIntegrity AvailabilityAvailability Definition of TermsDefinition of Terms ThreatThreat VulnerabilityVulnerability AttackAttack
  59. 59. SummarySummary Threat ModelingThreat Modeling Application Vulnerability CategoriesApplication Vulnerability Categories Input ValidationInput Validation AuthenticationAuthentication AuthorizationAuthorization Configuration ManagementConfiguration Management Sensitive DataSensitive Data
  60. 60. SummarySummary Application Vulnerability CategoriesApplication Vulnerability Categories Session ManagementSession Management CryptographyCryptography Parameter ManipulationParameter Manipulation Exception ManagementException Management Auditing and LoggingAuditing and Logging Core Security PrinciplesCore Security Principles CompartmentalizeCompartmentalize Use least privilegeUse least privilege
  61. 61. SummarySummary Core Security PrinciplesCore Security Principles Apply defense in depthApply defense in depth Do not trust user inputDo not trust user input Check at the gateCheck at the gate Fail securelyFail securely Secure the weakest linkSecure the weakest link Create secure defaultsCreate secure defaults Reduce your attack surfaceReduce your attack surface
  62. 62. SummarySummary Core Security PrinciplesCore Security Principles Apply defense in depthApply defense in depth Do not trust user inputDo not trust user input Check at the gateCheck at the gate Fail securelyFail securely Secure the weakest linkSecure the weakest link Create secure defaultsCreate secure defaults Reduce your attack surfaceReduce your attack surface Risks and Risk Mitigation/Control MeasuresRisks and Risk Mitigation/Control Measures
  63. 63. ReferencesReferences Open Web Application Security Project (OWASP)Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Main_Pagehttps://www.owasp.org/index.php/Main_Page Web Application Security ConsortiumWeb Application Security Consortium http://www.webappsec.org/http://www.webappsec.org/ Web Application SecurityWeb Application Security http://www.techopedia.com/definition/24377/web-application-securityhttp://www.techopedia.com/definition/24377/web-application-security Application Software SecurityApplication Software Security http://www.tripwire.com/state-of-security/security-data-protection/20-critical-security-controls-control-6-application-sofhttp://www.tripwire.com/state-of-security/security-data-protection/20-critical-security-controls-control-6-application-sof Improving Web Application Security: Threats and CountermeasuresImproving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/en-us/library/ff648636.aspxhttp://msdn.microsoft.com/en-us/library/ff648636.aspx
  64. 64. ReferencesReferences 10 Common Mobile Security Problems to Attack10 Common Mobile Security Problems to Attack http://www.pcworld.com/article/2010278/10-common-mobile-security-problems-http://www.pcworld.com/article/2010278/10-common-mobile-security-problems- 11 Most Common Security Threats11 Most Common Security Threats http://www.symantec-norton.com/11-most-common-computer-security-threats_khttp://www.symantec-norton.com/11-most-common-computer-security-threats_k Cyber Attack TimelineCyber Attack Timeline http://www.nato.int/docu/review/2013/Cyber/timeline/EN/index.htmhttp://www.nato.int/docu/review/2013/Cyber/timeline/EN/index.htm
  65. 65. ReferencesReferences A Potted History of the IT Industry: 25 Years of MilestonesA Potted History of the IT Industry: 25 Years of Milestones http://www.computerworlduk.com/slideshow/it-business/3278948/a-potted-history-of-the-it-industry-2http://www.computerworlduk.com/slideshow/it-business/3278948/a-potted-history-of-the-it-industry-2 A Short History of Hacks, Worms and CyberterrorsA Short History of Hacks, Worms and Cyberterrors http://www.computerworld.com/s/article/9131924/A_short_history_of_hacks_worms_and_cyberterrorhttp://www.computerworld.com/s/article/9131924/A_short_history_of_hacks_worms_and_cyberterror Data Visualization of DDoS on TwitterData Visualization of DDoS on Twitter http://datavisualization.ch/showcases/how-twitter-got-attacked-by-a-ddos/http://datavisualization.ch/showcases/how-twitter-got-attacked-by-a-ddos/ Russian Coder: I Hacked Georgia’s Sites in CyberwarRussian Coder: I Hacked Georgia’s Sites in Cyberwar http://www.wired.com/2008/10/government-and/http://www.wired.com/2008/10/government-and/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×