Your SlideShare is downloading. ×
0
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Web application security: how to start?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Web application security: how to start?

3,282

Published on

You want to start integrating security in your web application project but you don't know where to start and don't have access to software security professionals. What are the "cheapest" while very …

You want to start integrating security in your web application project but you don't know where to start and don't have access to software security professionals. What are the "cheapest" while very efficient activities that you can already do by yourself?


Agenda:
-Understanding the need for information security and privacy
-Secure design: key principles
-Threat modeling and analysis: building your first threat model and identifying the major risks in your web application
- Testing the security of your web application
- Understanding the big picture: what is a secure SDLC
- Cheap and efficient security activities that might be started immediatly in your SDLC

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,282
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
159
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Web application securitythe first steps towards a secure SDLC<br />Antonio FontesOWASP Geneva Chapter Leader<br />Confoo ConferenceMarch 11th 2010, Montreal, CA<br />
  • 2. (coward) disclaimer<br />We haven’t found the solution, yet.<br />Most methodologies are v.1.x and getting continuous improvements.<br />You might need more than one point of view<br />2<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 3. Agenda - Context<br />Sometheory<br />Security expectations in software<br />Identifyingthreats and theircountermeasures<br />Cowardstrategy<br />A case study<br />Conclusion<br />3<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 4. About me<br />Antonio Fontes, from Geneva (Switzerland)<br />>1999: Web developer<br />>2005: Ethical hacker / Security analyst<br />>2008: Security & Privacy manager (banking software ISV)<br />>2008: OWASP Geneva Chapter Leader <br />>2010: Information Security Consultant <br />SANS/CWE Top 25 Most Dangerous Programming Errors contributor<br />4<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 5. About you?<br />Coders? <br />Testers?<br />Managers?<br />Ninjas?<br />
  • 6. First things first: THEORY<br />6<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 7. 80-20 rule<br />Also applies to information security<br />SQL injections<br />Authentication & session management<br />OWASP Top 10<br />7<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />OWASP ASVS<br />
  • 8. what does “secure” mean?<br />8<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 9. Security & Privacy contract<br />1st assurance: CONFIDENTIALITY<br />”Data is protected from unauthorized access.”<br />2nd assurance: INTEGRITY<br />”Data is true and actual.”<br />3rd assurance: AVAILABILITY<br />”Legitimate requests get answers in legitimate time.”<br />4th assurance: TRACEABILITY<br />”You can reconstruct a trustworthy history of any user’s interactions with your application.”<br />9<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 10. Security & Privacy contract<br />5th assurance: PRIVACY<br />”Personal data is protected both from unauthorized access but also from unnecessary access.”<br />6th assurance: COMPLIANCE<br />”Data is collected, processed, accessed,stored, archived and destroyed in accordance with Law.”<br />7th assurance: REPUTATION<br />”Security incidents that might potentially occur won’t harm the organization’s reputation.”<br />10<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />These are what your boss understands!<br />The 5 others are what you really need to solve ;)<br />
  • 11. the threat<br />“Nobody wants to hack us.”<br />11<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 12. Who are your threat agents?<br />Dumbguy<br />Show-off guy<br />« I killyou!» guy<br />Organized crime<br />But also…<br />Competition<br />Governments<br />12<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />Lower effort<br />Higher effort<br />
  • 13. Security features vs. secure features<br />Checklists already solve common problems!<br />
  • 14. Secure features: STRIDE model<br />SPOOFING -> authentication<br />TAMPERING -> integrity<br />REPUDIATION -> non-repudiation<br />INFORMATION DISCLOSURE -> confidentiality<br />DENIAL OF SERVICE -> availability<br />ELEVATION OF PRIVILEGES -> authorization<br />For each asset, ask yourself what nightmares you really don’t want to come true!<br />
  • 15. $$$$ issues<br />15<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 16. the bigpicture<br />Awareness operations (coffee room, newsletters, posters on the wall, drop OWASP guides on the floor, lunch with devs, etc.)<br />Security Activities / SDLC<br />Training operations (secure coding, threat modelling, code analysis,...) <br />S&P Riskassessment<br />Secure design<br />Secure Coding guidelines<br />Incident response<br />Risk assessment (attack surface review)<br />Incident response planning<br />Attack surface analysis<br />Secure coding tools<br />PenetrationTest<br />Final S&P signoff<br />S&PTest<br />Identify security requirements<br />CERT response<br />Secure configuration and deployment<br />Threat modeling<br />Unit testing<br />Static code analysis<br />Fuzz test<br />Release archive<br />S&P test planning<br />SP3DC (Security and Privacy by Design, Development, Deployment and Configuration)<br />Intranet portal (case studies, news, best practices, secure code repository)<br />Product Risk Management Strategy<br />16<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 17. How are big companies doing?<br />PT1.1: External penetration testExternal penetration tests bring light to insecure applications and organizations, which need help.<br />SFD1.1: Security features developmentsecurity features (auth, crypto, session, etc.) are centrally developed and reused.<br />SE1.2: Secure deploymenthost and network security basics are in place<br />CP1.3: Create a policyDefine a policy that satisfies regulatory & compliance requirements. <br />Source: BSI-mm (http://bsi-mm.com/)<br />blabla<br />Let’s think costs and risk reduction!<br />
  • 18. our own picture<br />What is cheap?<br />What is effective?<br />18<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 19. ourownpicture<br />Awareness operations (coffee room, newsletters, posters on the wall, drop OWASP guides on the floor, lunch with devs, etc.)<br />Security Activities / SDLC<br />Training operations (secure coding, threat modelling, code analysis,...) <br />S&P Riskassessment<br />Secure design<br />Secure Coding guidelines<br />Incident response<br />Risk assessment (attack surface review)<br />Incident response planning<br />Attack surface analysis<br />Secure coding tools<br />PenetrationTest<br />Final S&P signoff<br />S&PTest<br />Identify security requirements<br />CERT response<br />Secure configuration and deployment<br />Threat modeling<br />Unit testing<br />Static code analysis<br />Fuzz test<br />Release archive<br />S&P test planning<br />SP3DC (Security and Privacy by Design, Development, Deployment and Configuration)<br />Intranet portal (case studies, news, best practices, secure code repository)<br />Product Risk Management Strategy<br />19<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 20. S&P test<br />You can do it (you, or automated security scanning tools)<br />You don’t need to ask (well…….it depends)<br />It’s virtually free (for your boss. you lose one or two evenings.)<br />You will get a picture <br />That you can show your management<br />That will serve as input into your bug tracking tool<br />If you use a reference (OWASP Top 10?), you can even monitor progress<br />20<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 21. Threat analysis and modeling<br />You can do it (if there is documentation, it’s better)<br />You don’t need to ask (well…….it depends)<br />It’s virtually free (for your boss. you lose one or two evenings.)<br />You will issue recommendations<br />That will help you and your colleagues build more secure code.<br />That you will improve with time.<br />21<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 22. SUMMARY<br />Security contract: <br />7 rules<br />5 security properties that lead to 2 security concerns<br />Threat agents<br />Low-cost SDLC injection phases<br />22<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 23. lazy strategy<br />23<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 24. lazy strategy<br />Your goal: staying out of statistics (shame avoidance pattern)<br />UK breach investigation report:<br />60% of web intrusions: SQL Injection*<br />30% of web intrusions: authentication*<br />Web hacking incidents database:<br />19% : SQL Injection<br />11% : authentication attacks<br />OWASP Top 10 web application security risks:<br />Don’t get exposed to one of these attacks!<br />*: 7Safe - UK Security breach investigations report 2010<br />24<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 25. lazy strategy (cont’d)<br />Don’t be a hero (yet), use checklists!<br />Start simple and short<br />Generic items (security features): reduce exposure to technical attacks<br />OWASP Application Security Verification Standard<br />MS Web applications threats and countermeasures security checklist<br />Specific items (secure features): reduce exposure to attacks relating to your business<br />Many checklists are already automated:<br />Use an automatic security scanning tool!!!<br />25<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 26. lazy strategy (cont’d)<br />Lazy threat modeling:<br />List the use cases and identify the most valuable assets involved with them.<br />Think about how the assets might be exposed if the use case goes wrong:<br />STRIDE model<br />Attack scenarios<br />Identify countermeasures<br />Apply these countermeasures<br />26<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 27. CASE STUDY<br />the Twitter case<br />(because it’s simple to understand, and solved)<br />27<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 28. Get fast and cheap results<br />Quick start: automatic security scan!!!<br />Runtime: 10 minutes (if you use a 9600 bps modem)<br />It should reveal major holes…<br />*: 7Safe - UK Security breach investigations report 2010<br />28<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 29. Reducing the heatmap<br />
  • 30. Major use cases<br />30<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 31. Valuable assets<br />31<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 32. Data-flows<br />User<br />Data stores: any need for encryption?<br />Register<br />SMS gateway<br />Mobile numbers<br />Requests<br />Authenticate<br />Accounts and credentials<br />Factors: what credentials make a valid authentication? Can they be spoofed?<br />Data transport in non-trust zone: any need for encryption?<br />Set status<br />Web Server<br />Log & Audit<br />consumes<br />Trust boundary: what is the input validation strategy?<br />uses<br />Messages & lists<br />View archive<br />Data transport in semi-trust zone: any need for encryption?<br />View user feed<br />
  • 33. Nightmares list (think “STRIDE”)<br />33<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 34. Countermeasures<br />34<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 35. Countermeasures<br />35<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 36. Countermeasures<br />36<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 37. CASE STUDY<br />is this already useful?<br />37<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 38. April 2007<br />A security vulnerability was reported on April 7 2007 by NiteshDhanjani & Rujith. <br />The problem was due to Twitter’s using the SMS message originator as the authentication of the user’s account. <br />Niteshused fakemytext.com to spoof a text message.<br />This vulnerability can only be used if the victim’s phone number is known. <br />Twitter introduced an optional PIN that its users can specify to authenticate SMS-originating messages within a few weeks of this discovery<br />http://en.wikipedia.org/wiki/Twitter<br />38<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 39. 2008<br />BrainShaler.com, 2008, writes a blog entry where his Twitter account gets hacked by a friend. <br />After tarnishing his online reputation, his friend was persuaded to give back the account and he managed to change his password. <br />However, this did not seem to help. <br />His friend still had access because his friend was already authenticated. <br />Twitter’s sessions did not expire, therefore, access was granted as long as his friend had an active session and didn’t log out<br />http://en.wikipedia.org/wiki/Twitter<br />39<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 40. January 2009<br />33 high-profile Twitter accounts were compromised, and falsified messages—including sexually explicit and drug-related messages—were sent. <br />The accounts were compromised after a Twitter administrator’s password was guessed via a dictionary attack.<br />We are engaged in a full security review of all access points to Twitter. In the meantime, we are taking immediate action. First, we are increasing the security of our sign-in mechanism. For added security, we are further restricting access to our support tools.<br />http://en.wikipedia.org/wiki/Twitterhttp://blog.twitter.com/2009/01/monday-morning-madness.html<br />40<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 41. It seems to help…<br />41<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 42. what’s next?<br />42<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 43. #1: Clean up!<br />Configure your bug tracking tool:<br />Add a ‘security’ category<br />Add a “critical, high, low” impact attribute<br />Add a “design, implementation, configuration” source attribute<br />Don’t forget to store the time required to fix the issue!<br />At later time, this will help you get $$$!<br />Start testing your web application:<br />Automated if you don’t have time.<br />OWASP Application Security Verification Standard is a good starthttp://www.owasp.org/index.php/ASVS<br />Identify your worst nightmares<br />Conduct lazy threat analysis and check if countermeasures are in place<br />Fix all security issues you find:<br />WARNING: Don’t find problems if you’re not ready to solve them!<br />After this point, you will already be ahead of many others.<br />43<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 44. #2: Sharpen your skills!<br />Understand technical attacks and countermeasures:<br />Threat classification (WASC)http://projects.webappsec.org/Threat-Classification<br />Top 10 Web application security risks (OWASP)http://www.owasp.org/index.php/Top_10<br />Learn and adhere to secure coding principles:<br />Secure Development Principles Whitepaper (Security Ninja)http://www.securityninja.co.uk/wp-content/uploads/2009/09/secure_development_principles_final.pdf<br />Learn threat modeling:<br />Theat Modeling Web Applications (Microsoft)http://msdn.microsoft.com/en-us/library/ms978516.aspx<br />Evangelize around you:<br />Show and share with your teammates what you learned!<br />44<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 45. #3: Talk to management!<br />Be ready to hit walls<br />Otherwise, stay silent and just fix what you can.<br />Compile your data<br />C-levels understand “financial profit”, “compliance”, and “reputation exposure”:<br />Tell them what is the current situation<br />Look into your bug tracking tool: how much time was (or will be) involved into fixing the flaws you found? How much time would it take fixing them at design time?<br />Get promoted (and ask for a raise, if you date)<br />“Product Manager – Security & Privacy”<br />45<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 46. #4: Continue securingyourSDLC<br />Choose your college:<br />Security Development Lifecycle (Microsoft)http://blogs.msdn.com/sdl/<br />Open Software Assurance Maturity Model (OWASP)http://www.opensamm.org/<br />Building Security in Maturity Model (Cigital/Fortify)http://www.bsi-mm.com/<br />46<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 47. Conclusion<br />What’s the 1stmajor wall? <br /> Just start.<br />47<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 48. Conclusion<br />What’s the 2ndmajor wall? <br /> Not applying those damn checklists.<br />48<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 49. Conclusion<br />If you can “start” and “apply a checklist”…<br /> You’re almost done! ;)<br />49<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 50. questions…?<br />50<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 51. <ul><li>antonio.fontes@owasp.org
  • 52. t:starbuck3000
  • 53. slideshare: starbuck3000</li></ul>Thank you!<br />51<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />
  • 54. next<br />Google:“list of (free) web application security scanners”<br />Find checklists:<br />Google:”web application security checklist”<br />OWASP ASVS<br />MS web application threats and countermeasures security checklist<br />Start fixing!<br />
  • 55. Copyright<br />You are free:<br />To share (copy, distribute, transmit)<br /> To remix <br />But only if: <br />You attribute this work<br />You use it for non-commercial purposes<br />And you keep sharing your result the same way I did<br />53<br />Antonio Fontes / Confoo Conference, Montreal / 2010<br />

×