• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Web application security: how to start?
 

Web application security: how to start?

on

  • 4,003 views

You want to start integrating security in your web application project but you don't know where to start and don't have access to software security professionals. What are the "cheapest" while very ...

You want to start integrating security in your web application project but you don't know where to start and don't have access to software security professionals. What are the "cheapest" while very efficient activities that you can already do by yourself?


Agenda:
-Understanding the need for information security and privacy
-Secure design: key principles
-Threat modeling and analysis: building your first threat model and identifying the major risks in your web application
- Testing the security of your web application
- Understanding the big picture: what is a secure SDLC
- Cheap and efficient security activities that might be started immediatly in your SDLC

Statistics

Views

Total Views
4,003
Views on SlideShare
3,383
Embed Views
620

Actions

Likes
3
Downloads
149
Comments
0

4 Embeds 620

http://webappsec.netmust.eu 595
http://www.carlosserrao.net 18
http://www.slideshare.net 5
http://blog.carlosserrao.net 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Web application security: how to start? Web application security: how to start? Presentation Transcript

    • Web application securitythe first steps towards a secure SDLC
      Antonio FontesOWASP Geneva Chapter Leader
      Confoo ConferenceMarch 11th 2010, Montreal, CA
    • (coward) disclaimer
      We haven’t found the solution, yet.
      Most methodologies are v.1.x and getting continuous improvements.
      You might need more than one point of view
      2
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • Agenda - Context
      Sometheory
      Security expectations in software
      Identifyingthreats and theircountermeasures
      Cowardstrategy
      A case study
      Conclusion
      3
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • About me
      Antonio Fontes, from Geneva (Switzerland)
      >1999: Web developer
      >2005: Ethical hacker / Security analyst
      >2008: Security & Privacy manager (banking software ISV)
      >2008: OWASP Geneva Chapter Leader
      >2010: Information Security Consultant
      SANS/CWE Top 25 Most Dangerous Programming Errors contributor
      4
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • About you?
      Coders?
      Testers?
      Managers?
      Ninjas?
    • First things first: THEORY
      6
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • 80-20 rule
      Also applies to information security
      SQL injections
      Authentication & session management
      OWASP Top 10
      7
      Antonio Fontes / Confoo Conference, Montreal / 2010
      OWASP ASVS
    • what does “secure” mean?
      8
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • Security & Privacy contract
      1st assurance: CONFIDENTIALITY
      ”Data is protected from unauthorized access.”
      2nd assurance: INTEGRITY
      ”Data is true and actual.”
      3rd assurance: AVAILABILITY
      ”Legitimate requests get answers in legitimate time.”
      4th assurance: TRACEABILITY
      ”You can reconstruct a trustworthy history of any user’s interactions with your application.”
      9
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • Security & Privacy contract
      5th assurance: PRIVACY
      ”Personal data is protected both from unauthorized access but also from unnecessary access.”
      6th assurance: COMPLIANCE
      ”Data is collected, processed, accessed,stored, archived and destroyed in accordance with Law.”
      7th assurance: REPUTATION
      ”Security incidents that might potentially occur won’t harm the organization’s reputation.”
      10
      Antonio Fontes / Confoo Conference, Montreal / 2010
      These are what your boss understands!
      The 5 others are what you really need to solve ;)
    • the threat
      “Nobody wants to hack us.”
      11
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • Who are your threat agents?
      Dumbguy
      Show-off guy
      « I killyou!» guy
      Organized crime
      But also…
      Competition
      Governments
      12
      Antonio Fontes / Confoo Conference, Montreal / 2010
      Lower effort
      Higher effort
    • Security features vs. secure features
      Checklists already solve common problems!
    • Secure features: STRIDE model
      SPOOFING -> authentication
      TAMPERING -> integrity
      REPUDIATION -> non-repudiation
      INFORMATION DISCLOSURE -> confidentiality
      DENIAL OF SERVICE -> availability
      ELEVATION OF PRIVILEGES -> authorization
      For each asset, ask yourself what nightmares you really don’t want to come true!
    • $$$$ issues
      15
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • the bigpicture
      Awareness operations (coffee room, newsletters, posters on the wall, drop OWASP guides on the floor, lunch with devs, etc.)
      Security Activities / SDLC
      Training operations (secure coding, threat modelling, code analysis,...)
      S&P Riskassessment
      Secure design
      Secure Coding guidelines
      Incident response
      Risk assessment (attack surface review)
      Incident response planning
      Attack surface analysis
      Secure coding tools
      PenetrationTest
      Final S&P signoff
      S&PTest
      Identify security requirements
      CERT response
      Secure configuration and deployment
      Threat modeling
      Unit testing
      Static code analysis
      Fuzz test
      Release archive
      S&P test planning
      SP3DC (Security and Privacy by Design, Development, Deployment and Configuration)
      Intranet portal (case studies, news, best practices, secure code repository)
      Product Risk Management Strategy
      16
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • How are big companies doing?
      PT1.1: External penetration testExternal penetration tests bring light to insecure applications and organizations, which need help.
      SFD1.1: Security features developmentsecurity features (auth, crypto, session, etc.) are centrally developed and reused.
      SE1.2: Secure deploymenthost and network security basics are in place
      CP1.3: Create a policyDefine a policy that satisfies regulatory & compliance requirements.
      Source: BSI-mm (http://bsi-mm.com/)
      blabla
      Let’s think costs and risk reduction!
    • our own picture
      What is cheap?
      What is effective?
      18
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • ourownpicture
      Awareness operations (coffee room, newsletters, posters on the wall, drop OWASP guides on the floor, lunch with devs, etc.)
      Security Activities / SDLC
      Training operations (secure coding, threat modelling, code analysis,...)
      S&P Riskassessment
      Secure design
      Secure Coding guidelines
      Incident response
      Risk assessment (attack surface review)
      Incident response planning
      Attack surface analysis
      Secure coding tools
      PenetrationTest
      Final S&P signoff
      S&PTest
      Identify security requirements
      CERT response
      Secure configuration and deployment
      Threat modeling
      Unit testing
      Static code analysis
      Fuzz test
      Release archive
      S&P test planning
      SP3DC (Security and Privacy by Design, Development, Deployment and Configuration)
      Intranet portal (case studies, news, best practices, secure code repository)
      Product Risk Management Strategy
      19
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • S&P test
      You can do it (you, or automated security scanning tools)
      You don’t need to ask (well…….it depends)
      It’s virtually free (for your boss. you lose one or two evenings.)
      You will get a picture
      That you can show your management
      That will serve as input into your bug tracking tool
      If you use a reference (OWASP Top 10?), you can even monitor progress
      20
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • Threat analysis and modeling
      You can do it (if there is documentation, it’s better)
      You don’t need to ask (well…….it depends)
      It’s virtually free (for your boss. you lose one or two evenings.)
      You will issue recommendations
      That will help you and your colleagues build more secure code.
      That you will improve with time.
      21
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • SUMMARY
      Security contract:
      7 rules
      5 security properties that lead to 2 security concerns
      Threat agents
      Low-cost SDLC injection phases
      22
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • lazy strategy
      23
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • lazy strategy
      Your goal: staying out of statistics (shame avoidance pattern)
      UK breach investigation report:
      60% of web intrusions: SQL Injection*
      30% of web intrusions: authentication*
      Web hacking incidents database:
      19% : SQL Injection
      11% : authentication attacks
      OWASP Top 10 web application security risks:
      Don’t get exposed to one of these attacks!
      *: 7Safe - UK Security breach investigations report 2010
      24
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • lazy strategy (cont’d)
      Don’t be a hero (yet), use checklists!
      Start simple and short
      Generic items (security features): reduce exposure to technical attacks
      OWASP Application Security Verification Standard
      MS Web applications threats and countermeasures security checklist
      Specific items (secure features): reduce exposure to attacks relating to your business
      Many checklists are already automated:
      Use an automatic security scanning tool!!!
      25
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • lazy strategy (cont’d)
      Lazy threat modeling:
      List the use cases and identify the most valuable assets involved with them.
      Think about how the assets might be exposed if the use case goes wrong:
      STRIDE model
      Attack scenarios
      Identify countermeasures
      Apply these countermeasures
      26
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • CASE STUDY
      the Twitter case
      (because it’s simple to understand, and solved)
      27
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • Get fast and cheap results
      Quick start: automatic security scan!!!
      Runtime: 10 minutes (if you use a 9600 bps modem)
      It should reveal major holes…
      *: 7Safe - UK Security breach investigations report 2010
      28
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • Reducing the heatmap
    • Major use cases
      30
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • Valuable assets
      31
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • Data-flows
      User
      Data stores: any need for encryption?
      Register
      SMS gateway
      Mobile numbers
      Requests
      Authenticate
      Accounts and credentials
      Factors: what credentials make a valid authentication? Can they be spoofed?
      Data transport in non-trust zone: any need for encryption?
      Set status
      Web Server
      Log & Audit
      consumes
      Trust boundary: what is the input validation strategy?
      uses
      Messages & lists
      View archive
      Data transport in semi-trust zone: any need for encryption?
      View user feed
    • Nightmares list (think “STRIDE”)
      33
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • Countermeasures
      34
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • Countermeasures
      35
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • Countermeasures
      36
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • CASE STUDY
      is this already useful?
      37
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • April 2007
      A security vulnerability was reported on April 7 2007 by NiteshDhanjani & Rujith.
      The problem was due to Twitter’s using the SMS message originator as the authentication of the user’s account.
      Niteshused fakemytext.com to spoof a text message.
      This vulnerability can only be used if the victim’s phone number is known.
      Twitter introduced an optional PIN that its users can specify to authenticate SMS-originating messages within a few weeks of this discovery
      http://en.wikipedia.org/wiki/Twitter
      38
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • 2008
      BrainShaler.com, 2008, writes a blog entry where his Twitter account gets hacked by a friend.
      After tarnishing his online reputation, his friend was persuaded to give back the account and he managed to change his password.
      However, this did not seem to help.
      His friend still had access because his friend was already authenticated.
      Twitter’s sessions did not expire, therefore, access was granted as long as his friend had an active session and didn’t log out
      http://en.wikipedia.org/wiki/Twitter
      39
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • January 2009
      33 high-profile Twitter accounts were compromised, and falsified messages—including sexually explicit and drug-related messages—were sent.
      The accounts were compromised after a Twitter administrator’s password was guessed via a dictionary attack.
      We are engaged in a full security review of all access points to Twitter. In the meantime, we are taking immediate action. First, we are increasing the security of our sign-in mechanism. For added security, we are further restricting access to our support tools.
      http://en.wikipedia.org/wiki/Twitterhttp://blog.twitter.com/2009/01/monday-morning-madness.html
      40
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • It seems to help…
      41
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • what’s next?
      42
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • #1: Clean up!
      Configure your bug tracking tool:
      Add a ‘security’ category
      Add a “critical, high, low” impact attribute
      Add a “design, implementation, configuration” source attribute
      Don’t forget to store the time required to fix the issue!
      At later time, this will help you get $$$!
      Start testing your web application:
      Automated if you don’t have time.
      OWASP Application Security Verification Standard is a good starthttp://www.owasp.org/index.php/ASVS
      Identify your worst nightmares
      Conduct lazy threat analysis and check if countermeasures are in place
      Fix all security issues you find:
      WARNING: Don’t find problems if you’re not ready to solve them!
      After this point, you will already be ahead of many others.
      43
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • #2: Sharpen your skills!
      Understand technical attacks and countermeasures:
      Threat classification (WASC)http://projects.webappsec.org/Threat-Classification
      Top 10 Web application security risks (OWASP)http://www.owasp.org/index.php/Top_10
      Learn and adhere to secure coding principles:
      Secure Development Principles Whitepaper (Security Ninja)http://www.securityninja.co.uk/wp-content/uploads/2009/09/secure_development_principles_final.pdf
      Learn threat modeling:
      Theat Modeling Web Applications (Microsoft)http://msdn.microsoft.com/en-us/library/ms978516.aspx
      Evangelize around you:
      Show and share with your teammates what you learned!
      44
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • #3: Talk to management!
      Be ready to hit walls
      Otherwise, stay silent and just fix what you can.
      Compile your data
      C-levels understand “financial profit”, “compliance”, and “reputation exposure”:
      Tell them what is the current situation
      Look into your bug tracking tool: how much time was (or will be) involved into fixing the flaws you found? How much time would it take fixing them at design time?
      Get promoted (and ask for a raise, if you date)
      “Product Manager – Security & Privacy”
      45
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • #4: Continue securingyourSDLC
      Choose your college:
      Security Development Lifecycle (Microsoft)http://blogs.msdn.com/sdl/
      Open Software Assurance Maturity Model (OWASP)http://www.opensamm.org/
      Building Security in Maturity Model (Cigital/Fortify)http://www.bsi-mm.com/
      46
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • Conclusion
      What’s the 1stmajor wall?
      Just start.
      47
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • Conclusion
      What’s the 2ndmajor wall?
      Not applying those damn checklists.
      48
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • Conclusion
      If you can “start” and “apply a checklist”…
      You’re almost done! ;)
      49
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • questions…?
      50
      Antonio Fontes / Confoo Conference, Montreal / 2010
      • antonio.fontes@owasp.org
      • t:starbuck3000
      • slideshare: starbuck3000
      Thank you!
      51
      Antonio Fontes / Confoo Conference, Montreal / 2010
    • next
      Google:“list of (free) web application security scanners”
      Find checklists:
      Google:”web application security checklist”
      OWASP ASVS
      MS web application threats and countermeasures security checklist
      Start fixing!
    • Copyright
      You are free:
      To share (copy, distribute, transmit)
      To remix
      But only if:
      You attribute this work
      You use it for non-commercial purposes
      And you keep sharing your result the same way I did
      53
      Antonio Fontes / Confoo Conference, Montreal / 2010