SlideShare a Scribd company logo

WebApp_to_Container_Security.pdf

Anna Pasupathy, CISSP
Anna Pasupathy, CISSP

Securing your software environment: 1. Web application 2. API (Application Programming Interface) 3. Mobile application 4. Container 5. Open-source software

Technology
1 of 31
Download to read offline
Application Security By Anna Pasupathy CISSP, CISM © 2019 Claren
Application Security Application Security: Securing software Applications Topics • Web application security: • Securing web applications • API (Application Programming Interface) Security • Securing API communication between machines/applications • Mobile Security: • Securing mobile applications • Container security: • Securing software containers • Open-source security: • Securing the open-source software in use © 2019 Claren
Web Application Security OWASP Top 10 2017 • A1 - Injection • A2 - Broken Authentication • A3 - Sensitive Data Exposure • A4 - XML External Entities (XXE) • A5 - Broken Access Control • A6 - Security Misconfiguration • A7 - Cross Site Scripting (XSS) • A8 - Insecure Deserialization • A9 - Using Components with Known Vulnerabilities • A10 - Insufficient Logging and Monitoring © 2019 Claren
Web Application Security: Risk Ratings © 2019 Claren Risk Exploitability: (3:Easy, 2:Average, 1:Difficult) Prevalence: (3:Widespread 2:Common, 1:Uncommon) Detectability: (3:Easy, 2:Average, 1:Difficult) Technical Impact: (3:Severe, 2:Moderate, 1:Minor) Business Impact Injection 3 2 3 3 Data loss, corruption, data disclosure, loss of accountability, denial of access, host takeover Broken Authentication 3 2 3 3 Money laundering, social security fraud, and identity theft, or disclose sensitive info Sensitive Data Exposure 2 3 2 3 PII leak requiring legal penalty XML External Entities (XXE) 2 2 3 3 Extract data, execute a remote request, scan internal systems, DOS attack, execute other attacks Broken Access Control 2 2 2 3 CRUD on data Security Misconfiguration 3 3 3 2 System compromise Cross Site Scripting (XSS) 3 3 3 2 Stealing credentials, sessions, or delivering malware Insecure Deserialization 1 2 2 3 Remote code execution Using Components with Known Vulnerabilities 2 3 2 2 Depends Insufficient Logging and Monitoring 2 3 1 2 Raise the likelihood of successful exploit to nearly 100%.
Injection, Broken Authentication © 2019 Claren Injection Broken Authentication Cause User Input not validated Inadequate or no Authentication Method of Exploits • User input could be a dbase/Ldap query to reveal the data or makes changes in database • Brute force • Default/weak/known/unencrypted password • No MFA • Exposed URL with session ID • Static and no expiry of session ID • Automated Credential stuffing Mitigation • Validate user input • Separate data from command • Limit data exposure • Use server-side validation • Use ESC sequence • Query parameterization • Use WAF • Check passwords for common passwords • Check password complexity, registration • Enforce password rotation • Use Exponential failed login attempts • Server-side session management • Use MFA
Sensitive Data Exposure, XML External Entities (XXE) © 2019 Claren Sensitive Data Exposure XML External Entities (XXE) Cause Insecure collecting, handling, storing, transmitting or deleting data Manipulate XML, weak XML parser Method of Exploits • Look for exposed data • File upload flaw • Attack an application parsing XML input and expose data Mitigation • Classify data, apply controls, encrypt data at rest and in motion • Use WAF, Key management • Encrypt with strong cipher for data in motion: TLS with perfect forward secrecy (PFS) • Cipher prioritization, Secure parameters • Use HTTP Strict Transport Security (HSTS) to guard against protocol downgrade, cookie hijacking • Disable caching for sensitive data • Store passwords with adaptive and salted hash: Argon2, scrypt - to guard against powerful hardware and GPU • Use json • Avoid serialization for translating data structures • Use SAST, DAST tools • Disable external entity processing
Broken Access Control, Security Misconfigurations © 2019 Claren Broken Access Control Security Misconfigurations Cause Unauthorized access to resources Inadequate security hardening Method of Exploits • Missing policy, rules • Bypass access control checks, Privilege escalation • Not using MFA • Exploit unpatched flaws • Old accounts, default accounts • Leaving unused features, services or samples • Exposing sensitive user or component details in error messages and stack trace Mitigation • Deny by default, use least privilege • Use MFA, Delete unwanted accounts • Minimize CORS (Cross-Origin Resource Sharing) • Log and Audit server on activities • Limit actions allowed • Reduce access area, unwanted services, scrutinize every access • Rate limit access • Invalidate JWT tokens • Disallow access to unexposed URLs/endpoints • Use SAST, DAST, WAF • Patch flaws • Disable default configuration or permission • Unprotected directory listing allowing reverse engineering • Use repeatable process • Use same config for all env, minimum platform • Security directives – HSTS (HTTP Strict Transport Security), HPKP (HTTP Public Key Pinning), X-frame option Header • Use segmentation - for components/tenants, containers and security groups
Cross Site Scripting (XSS), Insecure Deserialization © 2019 Claren Cross Site Scripting (XSS) Insecure Deserialization Cause Jumbled untrusted data from browser content Manipulate deserialized objects Method of Exploits • Client-side code injection exploiting the browser and user’s trust on web site • Steal session cookie • Write, manipulate DB • Using serialized objects from untrusted sources • super cookie about the logged in user • Untrusted user input • Manipulated super cookie containing serialized information on user role or password hash etc. allowing remote code execution, DOS attack etc. Mitigation • Reflected XSS, Stored XSS or DOM XSS • Use escaping • Use frameworks that automatically does the escaping • Separate untrusted user input data from active browser content • Ensure web app is secure • Use WAF • Implementing integrity checks such as digital signatures on any serialized objects • Strict type constraints during deserialization • Validate user input • Use WAF • Run code that deserializes in low privilege environments • Monitor, restrict, alert, Logging deserialization exceptions and failures
Using Components with Known Vulnerabilities, Insufficient Logging and Monitoring © 2019 Claren Using Components with known vulnerabilities Insufficient logging and monitoring Cause • Inadequate and inconsistent process/enforcement. • Well known is known to everyone. No logs, no tracking of activities in logs, or non- decipherable context, no action on logs collected Method of Exploits • Scan for known vulnerabilities • Exploit vulnerabilities • Turn off logging, manipulate log levels Mitigation • Inventory clients and servers • Download from digitally signed official source • Manage - Monitor, patch, config • Automate and consistently check against CVE (Common Vulnerability and Exploits), NVD (National Vulnerability dbase) • OWASP cheat sheet for logging • Granular err msg, approp alert thresholds, mask data in log files • Monitor the context using SIEM tools • Integrity control of logs
Mobile Security © 2019 Claren
Mobile Security: Challenges & Best Practices • Wi-Fi interference: Network spoofing, Man-in-the middle attack • Enforce use of Encrypted channel or VPN • Out-of-date devices: Scan for out-of-date devices and exploit vulnerability • Enforce Software update • Strong Policy • Over the air update • Crypto jacking attacks: Exploit Mobile phone software vulnerability for mining crypto currency • MFA, strong password, password policy • Update software • Limit allowed apps • Secure browsing, safe URL • Poor password hygiene • Strong Policy, password manager © 2019 Claren
Mobile Security: Challenges & Best Practices • Physical Device breaches: User behavior, a balance between flexibility and Security • Jail broken devices • Old phones, un updated phones • Data Leak • Use Endpoint protection • Use DLP tools • MDM solutions • Social Engineering: Instant and continuous exposure to device • Phishing: Awareness, SPAM filter, patches, antivirus, web filter, encryption © 2019 Claren
API Security © 2019 Claren
API Security: An overview • Application Programming Interface (API) is an interface or contract between two entities called a consumer and a provider • Provides a service based on a contract (WSDL, Swagger OpenAPI3). REST API is popular • Shares (therefore exposes) corporate resources and data • Digital transformation is the main driver for API Economy • Another avenue • to stimulate innovation • to create customer stickiness • to build an ecosystem • for monetization • for an attack surface • Private API: Used internally by organizations to integrate with different software systems • Public API: Programming interfaces exposed to developer communities • Partner API: Programming interfaces exposed to partners © 2019 Claren
API Security: Challenges • Application source code exposure • Shared password between apps • Unprotected data in backend • Improperly secured endpoints/URLs • Unencrypted OAuth token stored or sent in clear text • OWASP A1, A2, A4, A5, A6, A7, A10 are applicable • Injection • Broken Authentication • XXE (XML External Entities) • Broken Access Control • Security Misconfiguration • XSS (Cross Site Scripting) • Insufficient logging and monitoring © 2019 Claren
API Security: Methods • Authentication using • Username/password • Cookie Authentication • Digital certificates • Keys • MFA • Digest • Bearer (for OAuth 2.0) • OpenID Connect (OIDC) – ID token for Authentication + Access token • HOBA (HTTP Origin-Bound Authentication) • Mutual Authentication Protocol • Signature • Authorize using • OAuth using Access token (needs bearer token and client ID) © 2019 Claren
API Security: Best Practices • Think of what if the data is compromised • Plan for growth: consideration during design, deployment, intent, which user group • Consider what resource and fields are exposed, what’s the business, scope and which method • Use an existing framework, use the existing security process • Encrypt data in motion • Use API Gateway for API management (Apigee, MuleSoft) • analyze authorization • messages • tokens and parameters • track usage • throttle usage using rate limits • encrypt and redact logs © 2019 Claren
API Security: Best Practices • Detect Insecure API calls with Sniffers • Consistent change management • Classify as Public, Private or Partner API • Security scans for both home-grown, third-party libraries and open-source • Data driven automated testing • SAST (Static Application Security Testing: white box) • DAST (Dynamic Application Security Testing: black box, run-time) • IAST (Interactive Application Security Testing: real time on code, config, connection, 3rd party libraries, framework ) • RASP (Real-time Application Security protection): Monitors attacks and terminates sessions • Security Audit © 2019 Claren
Container Security © 2019 Claren
Container Security: An Overview • What are Containers, why are they needed? • Containers provide an immutable, portable, reusable, and automatable way to package and run apps • 5 key components • Image • Registry • Orchestrator • Container • Host OS © 2019 Claren
Container Security: Challenges • Image • Image vulnerability • Image configuration defects • Embedded Malware • Embedded clear text secrets • Use of untrusted images • Registry • Insecure connection to registries • Stale images in registries • Insufficient authentication and authorization • Orchestrator • Unbounded administrative access • Unauthorized access • Poorly separated inter-container traffic • Mixing of workload sensitivity • Orchestrator node trust © 2019 Claren
Container Security: Challenges • Containers • Vulnerability in runtime software • Unbounded network access from containers • Insecure container runtime config • App vulnerability • Rogue containers • Host OS • Large attack surface • Shared kernel • Host OS component vulnerability • Improper user access rights • Host OS File system tampering © 2019 Claren
Container Security: Challenges • Visibility and identity of each container • Resource hogging • Storage of secrets outside the container • DDOS © 2019 Claren
Container Security: Best Practices • Use Container-specific OSS, a base image with minimized OS with just the required capabilities • Group containers with the same purpose, sensitivity, and threat posture on a single host OS • User Namespaces • Hypervisor isolation • Container isolation • Image whitelist, labeling/versioning • Container-aware network & process monitoring • Validated, and digitally signed images with hashes and signatures • Do Live scan, apply runtime controls and container-aware runtime defense tools (Twistlock, Nuevector) • Secure all tiers with hardware root of trust, using industry standard Trusted Platform Module (TPM)) • Digitally sign or do integrity checks on container images • Manage lifecycle of containers, use policies © 2019 Claren
Open Source Security © 2019 Claren
Open-source Security: Challenges • Pull model: users are responsible for keeping track of vulnerabilities, fixes • Indirect dependency • Known vulnerabilities in system libraries, container images • CVEs in distros • Malicious packages • Typosquatting • Compromised CI or registry • Malicious package included in dependency • Socially engineered inclusion of malicious package • GPL license violations/conflicts © 2019 Claren
Open-source Security: An Overview • Open-source Software • Free source code released under a license • Grants the copyright holder the rights to freely redistribute, study, modify and share with anyone for any purpose • Affordability • Transparency • Perpetuity • Interoperability • Flexibility © 2019 Claren
Open-source Security: Challenges • Path traversal (aka directory traversal or backtracking) • Cross-site scripting (XSS) • Sensitive information exposure: Permissions, privileges, and access control • Deserialization of untrusted data • Out-of-bounds write • Resource management errors • SQL injection • Regular expression denial of service (ReDoS) © 2019 Claren
Open-source Security: Best Practices • Use SCA (Source Code Analysis/Software Composition Analysis) tools • Enforce consistent Security Audits • Patch ASAP • Use encoding to avoid directory traversal • Use open-source security lifecycle • Make pre-approved, easy-to-consume libraries, packages, toolchains, and processes available • Responsible security disclosures • Secure code base with code review • Audit code base • Ensure compliance with software licenses, an essential step in reducing business risk • Breach of an open-source license can result in IP infringement Use tools e.g.: OWASP’s ZAP, SonarQube, Black Duck etc. © 2019 Claren
Conclusion © 2019 Claren VAST ROUGH
Your Journey © 2019 Claren Get a handle on these for a SMOOTH SAIL !

Recommended

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risksIslam Azeddine Mennouchi
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomationLinkesh Kanna Velu
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security Dilip Sharma
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 

Recommended

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risksIslam Azeddine Mennouchi
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomationLinkesh Kanna Velu
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security Dilip Sharma
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveviewShreyas N
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1Setia Juli Irzal Ismail
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01EduclentMegasoftel
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)Anatoliy Okhotnikov
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Web Security
Web SecurityWeb Security
Web SecurityGerald Villorente
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid themKarl Ots
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014Islam Azeddine Mennouchi
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017Siddharth Phatarphod
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitTop 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitAmazon Web Services
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015ColdFusionConference
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...NetworkCollaborators
 
Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics NetworkCollaborators
 
CompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptxCompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptxmohedkhadar60
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 

More Related Content

Similar to WebApp_to_Container_Security.pdf

OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid themKarl Ots
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitTop 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitAmazon Web Services
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...NetworkCollaborators
 
Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics NetworkCollaborators
 
CompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptxCompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptxmohedkhadar60
 

Similar to WebApp_to_Container_Security.pdf (20)

Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Web Security
Web SecurityWeb Security
Web Security
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitTop 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
 
Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics Cisco Connect 2018 Thailand - Telco service provider network analytics
Cisco Connect 2018 Thailand - Telco service provider network analytics
 
CompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptxCompTIASecPLUSAASS-part4 - Edited (1).pptx
CompTIASecPLUSAASS-part4 - Edited (1).pptx
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

WebApp_to_Container_Security.pdf

  • 1. Application Security By Anna Pasupathy CISSP, CISM © 2019 Claren
  • 2. Application Security Application Security: Securing software Applications Topics • Web application security: • Securing web applications • API (Application Programming Interface) Security • Securing API communication between machines/applications • Mobile Security: • Securing mobile applications • Container security: • Securing software containers • Open-source security: • Securing the open-source software in use © 2019 Claren
  • 3. Web Application Security OWASP Top 10 2017 • A1 - Injection • A2 - Broken Authentication • A3 - Sensitive Data Exposure • A4 - XML External Entities (XXE) • A5 - Broken Access Control • A6 - Security Misconfiguration • A7 - Cross Site Scripting (XSS) • A8 - Insecure Deserialization • A9 - Using Components with Known Vulnerabilities • A10 - Insufficient Logging and Monitoring © 2019 Claren
  • 4. Web Application Security: Risk Ratings © 2019 Claren Risk Exploitability: (3:Easy, 2:Average, 1:Difficult) Prevalence: (3:Widespread 2:Common, 1:Uncommon) Detectability: (3:Easy, 2:Average, 1:Difficult) Technical Impact: (3:Severe, 2:Moderate, 1:Minor) Business Impact Injection 3 2 3 3 Data loss, corruption, data disclosure, loss of accountability, denial of access, host takeover Broken Authentication 3 2 3 3 Money laundering, social security fraud, and identity theft, or disclose sensitive info Sensitive Data Exposure 2 3 2 3 PII leak requiring legal penalty XML External Entities (XXE) 2 2 3 3 Extract data, execute a remote request, scan internal systems, DOS attack, execute other attacks Broken Access Control 2 2 2 3 CRUD on data Security Misconfiguration 3 3 3 2 System compromise Cross Site Scripting (XSS) 3 3 3 2 Stealing credentials, sessions, or delivering malware Insecure Deserialization 1 2 2 3 Remote code execution Using Components with Known Vulnerabilities 2 3 2 2 Depends Insufficient Logging and Monitoring 2 3 1 2 Raise the likelihood of successful exploit to nearly 100%.
  • 5. Injection, Broken Authentication © 2019 Claren Injection Broken Authentication Cause User Input not validated Inadequate or no Authentication Method of Exploits • User input could be a dbase/Ldap query to reveal the data or makes changes in database • Brute force • Default/weak/known/unencrypted password • No MFA • Exposed URL with session ID • Static and no expiry of session ID • Automated Credential stuffing Mitigation • Validate user input • Separate data from command • Limit data exposure • Use server-side validation • Use ESC sequence • Query parameterization • Use WAF • Check passwords for common passwords • Check password complexity, registration • Enforce password rotation • Use Exponential failed login attempts • Server-side session management • Use MFA
  • 6. Sensitive Data Exposure, XML External Entities (XXE) © 2019 Claren Sensitive Data Exposure XML External Entities (XXE) Cause Insecure collecting, handling, storing, transmitting or deleting data Manipulate XML, weak XML parser Method of Exploits • Look for exposed data • File upload flaw • Attack an application parsing XML input and expose data Mitigation • Classify data, apply controls, encrypt data at rest and in motion • Use WAF, Key management • Encrypt with strong cipher for data in motion: TLS with perfect forward secrecy (PFS) • Cipher prioritization, Secure parameters • Use HTTP Strict Transport Security (HSTS) to guard against protocol downgrade, cookie hijacking • Disable caching for sensitive data • Store passwords with adaptive and salted hash: Argon2, scrypt - to guard against powerful hardware and GPU • Use json • Avoid serialization for translating data structures • Use SAST, DAST tools • Disable external entity processing
  • 7. Broken Access Control, Security Misconfigurations © 2019 Claren Broken Access Control Security Misconfigurations Cause Unauthorized access to resources Inadequate security hardening Method of Exploits • Missing policy, rules • Bypass access control checks, Privilege escalation • Not using MFA • Exploit unpatched flaws • Old accounts, default accounts • Leaving unused features, services or samples • Exposing sensitive user or component details in error messages and stack trace Mitigation • Deny by default, use least privilege • Use MFA, Delete unwanted accounts • Minimize CORS (Cross-Origin Resource Sharing) • Log and Audit server on activities • Limit actions allowed • Reduce access area, unwanted services, scrutinize every access • Rate limit access • Invalidate JWT tokens • Disallow access to unexposed URLs/endpoints • Use SAST, DAST, WAF • Patch flaws • Disable default configuration or permission • Unprotected directory listing allowing reverse engineering • Use repeatable process • Use same config for all env, minimum platform • Security directives – HSTS (HTTP Strict Transport Security), HPKP (HTTP Public Key Pinning), X-frame option Header • Use segmentation - for components/tenants, containers and security groups
  • 8. Cross Site Scripting (XSS), Insecure Deserialization © 2019 Claren Cross Site Scripting (XSS) Insecure Deserialization Cause Jumbled untrusted data from browser content Manipulate deserialized objects Method of Exploits • Client-side code injection exploiting the browser and user’s trust on web site • Steal session cookie • Write, manipulate DB • Using serialized objects from untrusted sources • super cookie about the logged in user • Untrusted user input • Manipulated super cookie containing serialized information on user role or password hash etc. allowing remote code execution, DOS attack etc. Mitigation • Reflected XSS, Stored XSS or DOM XSS • Use escaping • Use frameworks that automatically does the escaping • Separate untrusted user input data from active browser content • Ensure web app is secure • Use WAF • Implementing integrity checks such as digital signatures on any serialized objects • Strict type constraints during deserialization • Validate user input • Use WAF • Run code that deserializes in low privilege environments • Monitor, restrict, alert, Logging deserialization exceptions and failures
  • 9. Using Components with Known Vulnerabilities, Insufficient Logging and Monitoring © 2019 Claren Using Components with known vulnerabilities Insufficient logging and monitoring Cause • Inadequate and inconsistent process/enforcement. • Well known is known to everyone. No logs, no tracking of activities in logs, or non- decipherable context, no action on logs collected Method of Exploits • Scan for known vulnerabilities • Exploit vulnerabilities • Turn off logging, manipulate log levels Mitigation • Inventory clients and servers • Download from digitally signed official source • Manage - Monitor, patch, config • Automate and consistently check against CVE (Common Vulnerability and Exploits), NVD (National Vulnerability dbase) • OWASP cheat sheet for logging • Granular err msg, approp alert thresholds, mask data in log files • Monitor the context using SIEM tools • Integrity control of logs
  • 11. Mobile Security: Challenges & Best Practices • Wi-Fi interference: Network spoofing, Man-in-the middle attack • Enforce use of Encrypted channel or VPN • Out-of-date devices: Scan for out-of-date devices and exploit vulnerability • Enforce Software update • Strong Policy • Over the air update • Crypto jacking attacks: Exploit Mobile phone software vulnerability for mining crypto currency • MFA, strong password, password policy • Update software • Limit allowed apps • Secure browsing, safe URL • Poor password hygiene • Strong Policy, password manager © 2019 Claren
  • 12. Mobile Security: Challenges & Best Practices • Physical Device breaches: User behavior, a balance between flexibility and Security • Jail broken devices • Old phones, un updated phones • Data Leak • Use Endpoint protection • Use DLP tools • MDM solutions • Social Engineering: Instant and continuous exposure to device • Phishing: Awareness, SPAM filter, patches, antivirus, web filter, encryption © 2019 Claren
  • 14. API Security: An overview • Application Programming Interface (API) is an interface or contract between two entities called a consumer and a provider • Provides a service based on a contract (WSDL, Swagger OpenAPI3). REST API is popular • Shares (therefore exposes) corporate resources and data • Digital transformation is the main driver for API Economy • Another avenue • to stimulate innovation • to create customer stickiness • to build an ecosystem • for monetization • for an attack surface • Private API: Used internally by organizations to integrate with different software systems • Public API: Programming interfaces exposed to developer communities • Partner API: Programming interfaces exposed to partners © 2019 Claren
  • 15. API Security: Challenges • Application source code exposure • Shared password between apps • Unprotected data in backend • Improperly secured endpoints/URLs • Unencrypted OAuth token stored or sent in clear text • OWASP A1, A2, A4, A5, A6, A7, A10 are applicable • Injection • Broken Authentication • XXE (XML External Entities) • Broken Access Control • Security Misconfiguration • XSS (Cross Site Scripting) • Insufficient logging and monitoring © 2019 Claren
  • 16. API Security: Methods • Authentication using • Username/password • Cookie Authentication • Digital certificates • Keys • MFA • Digest • Bearer (for OAuth 2.0) • OpenID Connect (OIDC) – ID token for Authentication + Access token • HOBA (HTTP Origin-Bound Authentication) • Mutual Authentication Protocol • Signature • Authorize using • OAuth using Access token (needs bearer token and client ID) © 2019 Claren
  • 17. API Security: Best Practices • Think of what if the data is compromised • Plan for growth: consideration during design, deployment, intent, which user group • Consider what resource and fields are exposed, what’s the business, scope and which method • Use an existing framework, use the existing security process • Encrypt data in motion • Use API Gateway for API management (Apigee, MuleSoft) • analyze authorization • messages • tokens and parameters • track usage • throttle usage using rate limits • encrypt and redact logs © 2019 Claren
  • 18. API Security: Best Practices • Detect Insecure API calls with Sniffers • Consistent change management • Classify as Public, Private or Partner API • Security scans for both home-grown, third-party libraries and open-source • Data driven automated testing • SAST (Static Application Security Testing: white box) • DAST (Dynamic Application Security Testing: black box, run-time) • IAST (Interactive Application Security Testing: real time on code, config, connection, 3rd party libraries, framework ) • RASP (Real-time Application Security protection): Monitors attacks and terminates sessions • Security Audit © 2019 Claren
  • 20. Container Security: An Overview • What are Containers, why are they needed? • Containers provide an immutable, portable, reusable, and automatable way to package and run apps • 5 key components • Image • Registry • Orchestrator • Container • Host OS © 2019 Claren
  • 21. Container Security: Challenges • Image • Image vulnerability • Image configuration defects • Embedded Malware • Embedded clear text secrets • Use of untrusted images • Registry • Insecure connection to registries • Stale images in registries • Insufficient authentication and authorization • Orchestrator • Unbounded administrative access • Unauthorized access • Poorly separated inter-container traffic • Mixing of workload sensitivity • Orchestrator node trust © 2019 Claren
  • 22. Container Security: Challenges • Containers • Vulnerability in runtime software • Unbounded network access from containers • Insecure container runtime config • App vulnerability • Rogue containers • Host OS • Large attack surface • Shared kernel • Host OS component vulnerability • Improper user access rights • Host OS File system tampering © 2019 Claren
  • 23. Container Security: Challenges • Visibility and identity of each container • Resource hogging • Storage of secrets outside the container • DDOS © 2019 Claren
  • 24. Container Security: Best Practices • Use Container-specific OSS, a base image with minimized OS with just the required capabilities • Group containers with the same purpose, sensitivity, and threat posture on a single host OS • User Namespaces • Hypervisor isolation • Container isolation • Image whitelist, labeling/versioning • Container-aware network & process monitoring • Validated, and digitally signed images with hashes and signatures • Do Live scan, apply runtime controls and container-aware runtime defense tools (Twistlock, Nuevector) • Secure all tiers with hardware root of trust, using industry standard Trusted Platform Module (TPM)) • Digitally sign or do integrity checks on container images • Manage lifecycle of containers, use policies © 2019 Claren
  • 25. Open Source Security © 2019 Claren
  • 26. Open-source Security: Challenges • Pull model: users are responsible for keeping track of vulnerabilities, fixes • Indirect dependency • Known vulnerabilities in system libraries, container images • CVEs in distros • Malicious packages • Typosquatting • Compromised CI or registry • Malicious package included in dependency • Socially engineered inclusion of malicious package • GPL license violations/conflicts © 2019 Claren
  • 27. Open-source Security: An Overview • Open-source Software • Free source code released under a license • Grants the copyright holder the rights to freely redistribute, study, modify and share with anyone for any purpose • Affordability • Transparency • Perpetuity • Interoperability • Flexibility © 2019 Claren
  • 28. Open-source Security: Challenges • Path traversal (aka directory traversal or backtracking) • Cross-site scripting (XSS) • Sensitive information exposure: Permissions, privileges, and access control • Deserialization of untrusted data • Out-of-bounds write • Resource management errors • SQL injection • Regular expression denial of service (ReDoS) © 2019 Claren
  • 29. Open-source Security: Best Practices • Use SCA (Source Code Analysis/Software Composition Analysis) tools • Enforce consistent Security Audits • Patch ASAP • Use encoding to avoid directory traversal • Use open-source security lifecycle • Make pre-approved, easy-to-consume libraries, packages, toolchains, and processes available • Responsible security disclosures • Secure code base with code review • Audit code base • Ensure compliance with software licenses, an essential step in reducing business risk • Breach of an open-source license can result in IP infringement Use tools e.g.: OWASP’s ZAP, SonarQube, Black Duck etc. © 2019 Claren
  • 31. Your Journey © 2019 Claren Get a handle on these for a SMOOTH SAIL !