An approach to app security - For beginners

1. An Approach to Application Security For beginners #vodqa

2. Hi!

3. Why are you here?

4. Reference: https://www.owasp.org Identify Security Objectives Application Overview Decompose Application Identify Threats Identify Vulnerabilities

5. Agenda Introduction and case study High-level threat modeling Application threat modeling Vulnerability Testing References

6. Case study

7. Background Have food industry background Known network of food critics Business and Investment numbers Start-up Venture capital investment: ~$10mn Number of employees: 50 Hired contractors for development Application strategy Food critics write and read reviews In the future, plans to extend ads to hotels for revenue Critical assets Customers (food critics) Credibility

9. Mockups

10. Mockups

11. Mockups

13. Phases in our delivery lifecycle Inception (Business Feasibility Study and Requirement Gathering) Design thinking and tech analysis Development Testing Release

14. Inception

15. Participants Business stakeholders : CTO, CFO, Tech architect Delivery team: BA, Tech lead, QA, Tech architect, developers (optional)

16. High-level Threat modeling Structured, shared understanding of what could go wrong Incorporate security thinking throughout our software delivery Vocabulary to record and talk about possible threats Understand the security threats that your client is facing Understand the stakeholders’ concerns

17. ASK!

18. Split up in delivery teams

19. What are the services and people that are a part of YourFeedback’s ecosystem?

20. Employees? Hotels? App users? Government? Cloud systems?

21. Actors People and services within a system

22. But first, why protect anything? What does YourFeedback app want to protect?

23. CIA Triad Confidentiality IntegrityAvailability

24. What does YourFeedback app want to protect?

25. Reviews? Customer information? Logs? Server?

26. Asset Device, data or service that needs to be protected

27. Who might attack YourFeeback’s assets?

28. Competitors? Application users? Firewall? Hacktivists? Government? Other app in the same network?

29. Attacker People/services that intentionally, or unintentionally, compromise an asset

31. What are we protecting our assets against?

32. Threat A cause of a possible incident that could lead an attacker to attack an asset

33. AttackerAsset Threat

34. Assets ● Reputation, credibility ● Investors ● Application ● Servers ● Code ● Reviews ● Customer data ● Audit/financial data Attackers ● Business competitors ● Application user ● Hotel owners ● Investor’s competitors ● Hotel’s competitors ● Hackers ● Firewall ● Delivery team (Sample List)

35. Identifying threats and risk

36. Assets ● Reputation, credibility ● Investors Info ● Application ● Servers ● Code ● Reviews ● Customer data ● Audit/financial data Attackers ● Business competitors ● Application user ● Hotel owners ● Investor’s competitors ● Hotel’s competitors ● Hackers ● Firewall ● Delivery team (Sample List)

46. More terminologies Mitigation : Ways to counterbalance a threat Vulnerability : An un-mitigated or insufficiently mitigated threat Risk : An onset of a threat on a vulnerability Threat Vulnerability Mitigation

47. Risk Magic Quadrant Impact Probability

48. Our Risk Magic Quadrant (examples) Application User giving unfair reviews Application user misusing customer data Hotel Owner changing reviews in favor of themselves Business competitors bringing down Reputation and Credibility Hackers bring down reputation and credibility Probability Impact Firewall brings down the server Business competitor’s catching hold of investment details Employees disclosing customer data

49. Design thinking Tech analysis

50. Participants Business stakeholders : Tech team (if distributed team) Delivery team: BA, Tech lead, QA, Tech architect, developers

51. Application Threat Modeling Structured, shared understanding of what could go wrong in identified threats Incorporate security thinking into user stories and design Threat awareness for the delivery team Understand protection mechanisms But first, what ways can attackers attack in?

52. Example - STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of privileges

53. Application Threat Modeling : Attack Trees Open safe Break openLearn combinationPick lock Find written combination Get combination from someone Look into emails/chats Look into personal diary/notebooks Social engg PhishingCheck notes in laptop Goal Ways

54. What will bring Our business down? Lose Customers Lose Credibility Targeted Marketing - By Competitors Unrelated/Unfair reviews Competitors release attractive features before YourFeedback.com Application is not usable. Application is not performing as expected. Illegitimate/Offensive content posted on the site. Business owners have lost personal credibility. Has been proved to be hacked at least once.

55. Lets see how one of those goals can be achieved by Attacker

56. Attack threats for you to pick up Display unreliable reviews Make application unusable for users Offensive/illegitimate content posted on the sites Targeted marketing (by competitors/hotel owners) Competitors release attractive features before us Application is not performing as expected for business

57. Make the App not usable by user Make the App not usable Existing users are not able to Login Redirect to another website Bring the server down Change Password Delete User Creating too much load Sending too many asynchronous calls Hide content on page load Stop users from viewing/reading content of website Show popup on page load Getting access to DB server Show pop up on any click Make website/browser too slow Access the DB through application Creating load on Database Show irrelevant content on top of actual page content Running too many scripts on page load

58. Display unreliable reviews Display unreliable reviews Login as existing member Phishing Change directly in database Bypass login Social engineering Find password Add new member Bug in login Get Password Post wrong reviews

59. Offensive/illegitimate content posted on the sites Offensive/illegi timate content posted on the sites Offensive content in the review section Run a script with offensive images Login as existing user and post review Add a new user and post review Add offensive content and image in the information PDF Load illegitimate image on page load Get password Bug in login Get access to DB server

60. Targeted marketing (by competitors/hotel owners) Targeted marketing Capture attention by Ads Call /email customers directly Get Customer Info Posts Add in our feedback App Get customers to visit competitor’s sites Social Engineering Get Customer Info

61. Competitors market new attractive features before Yourfeedback.com Competitors market new features before Yourfeedback.com Get access to staging or pre prod environment Get access to project management system Accessing development branch to get active code

63. Development Testing

64. Vulnerability Identification Vulnerability is an unmitigated or insufficiently mitigated threat

65. OWASP Top 10 Vulnerabilities : A Start

66. SQL Injection Server-side attack Misuses interpreter to attack database Different types of SQL injections: Error-based, Blind etc.

67. Cross-Site Scripting (XSS) A type of injection Client-side attack Misusing powers of HTML, Javascript, CSS etc. Types: Reflective Persistent

68. Reflective XSS Reflective XSS

69. Persistent XSS Persistent XSS

70. Path Traversal Access or execute command on restricted directories or files Outside the web root folder a.k.a. ‘dot-dot-slash’, ‘directory traversal’, ‘directory climbing’ or ‘backtracking’

71. Demo

72. Let’s test Make the App not usable Existing users are not able to Login Redirect to another website Bring the server down Change Password Delete User Creating too much load Sending too many Asynchronous Calls Hide actual page content on Page load Stop users from viewing/reading content of website Show popup on Page load Getting access to DB server Show pop up on any click Make website/browser too slow Access the DB from the application Creating load on Database Show irrelevant content on top of actual page content Running too many scripts on page load Access the DB from the application Change Password Delete User Hide actual page content on Page load Show popup on Page load Redirect to another website

73. Display unreliable reviews Display unreliable reviews Login as existing member Phishing Change directly in database Bypass login Social engineering Find password Add new member Bug in login Get Password Post wrong reviews

74. Competitors market new attractive features before Yourfeedback.com Competitors market new features before Yourfeedback.com Get access to staging or pre prod environment Get access to project management system Accessing development branch to get active code

76. Mitigations/Suggestions SQL Injections : Input Validation, like use of ORM. Limit Database Permission Configure Error Reporting Path Traversal : Use of search function instead of appending from URL. XSS CSP - Content Security Policy Use AutoEscape Input validation

77. Tool Examples Zed Attack Proxy BurpSuite IronWASP Fiddler TamperData Websecurify XSS Me, SQL Inject Me etc.

78. References Vulnerable application: https://github.com/jaydeepc/vul_feedback_app Fixed application: https://github.com/jaydeepc/non_vul_python_app https://www.thoughtworks.com/insights/blog/appsec101-welcoming-all-roles-world- security https://www.owasp.org

79. Thank you! Harinee Muralinath (harineem@thoughtworks.com) , Jaydeep Chakraborty (jaydeepc@thoughtworks.com) Nagesh Kumar, Shraddha Suman, Navya Bailkeri, Fathima Harris, Pallipuspa Samal, Astha Jaiswal, Hitesh Sharma Presenters: Volunteers:

An approach to app security - For beginners

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to An approach to app security - For beginners

Similar to An approach to app security - For beginners (20)

More from vodQA

More from vodQA (20)

Recently uploaded

Recently uploaded (20)

An approach to app security - For beginners

Editor's Notes