Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WebAppSec: Assessment and Defense


Published on

Slides for OWASP Pune Chapter Meetup dated 21st Apr 2016

Testing web applications for security issues and protecting them effectively needs use of various methodologies. Each of these have their own advantages and disadvantages. The talk starts with overview of the methodologies and then talks about how they can be combined to get the best results. Towards the end also touches up the emerging trends in the WebAppSec world.

Published in: Software
  • Here is a nice article explaining need for combining different tools and methodologies for better protection:
    Are you sure you want to  Yes  No
    Your message goes here

WebAppSec: Assessment and Defense

  1. 1. WebAppSec Assessment and Defense Ajit Dhumale OWASP Pune Chapter Meetup 21st April 2016
  2. 2. WebApp eco-system OS/VM/Docker Web Server App Container WepApp Network Stack DB NoSQL … Browser UserInternet FW NAT LB Data Center App
  3. 3. Assessment and Defense • Assessment – Test if web app has vulnerabilities • Defense – Protect against known and unknown vulnerabilities
  4. 4. Assessment BlackBox Vs WhiteBox
  5. 5. BlackBox vs WhiteBox Images credit: (Photo by khunaspix, patrisyu)
  6. 6. DAST (BlackBox) • Easy logistics • (Fairly) low FP rate* DAST: Dynamic Application Security Testing WebAppHTTP(s)://
  7. 7. DAST: How it works? Crawl: Get links, forms and AJAX requests to test Test (mostly fuzzing): Send malformed/evil variants of the crawled requests and see how the web app responds
  8. 8. DAST: Concerns – Coverage • Is the entire web app crawled? • Auto form filling • Authentication – Redundant links • • • • • Thousands of similar links – Less direct help to developers
  9. 9. SAST (WhiteBox) Source Code SAST: Static Application Security Testing Images:
  10. 10. SAST • High FP • Difficult Logistics – Access to source code – Confidentiality/trust issues • Provides direct help to developers • Programming language dependent – News languages, templating, runtime binding  problems • (opaque) 3rd party libraries, external systems
  11. 11. IAST • Co-relatedDASTandSASTresults OR • Insertmonitoringagentinapplicationruntime. • ObserverappbehaviorwhiledrivingtheappusingDAST • TunetheDASTtests(automatically)basedonmonitoring Provides • Bettercoverage,accuracyandefficiency • Betterdirecthelptodevelopers IAST:Interactive/integratedApplicationSecurityTesting I DAST SAST T
  12. 12. Assessment Manual Vs Automated
  13. 13. Automated vs Manual Lower accuracy Higher FP High accuracy* Low FP* Fast Hours to days per web app Slower Weeks to months per web app Bad at business logic flaw detection Good at business logic flaw detection* Lower cost Very (very) high cost * Subject to expertise of the manual pen tester(s)
  14. 14. Automated and Manual Automated with manual assistance Manual verification Best of both worlds
  15. 15. We found vulnerabilities now what?
  16. 16. Fix the vulnerabilities …but what till the fix is available? Patch in on the way …
  17. 17. WebAppFirewall • Protects production web apps from attacks
  18. 18. WAF: How it works • Block malicious (looking) requests – Rules – Heuristics – Blacklist/whitelist • Add protection in responses – Security headers – Frame bursting – Sign/encrypt cookie/hidden fields W A F
  19. 19. Deploying WAF (phases) • Training – Observe traffic – Learn normal traffic/patterns – Formulate rules /create baseline • Notification – Apply rules, notify violation – (manually) tune the rules • Block – Apply rules, block violations – Filter suspicious input – Fine tune rules
  20. 20. WAF Concerns • Installation needs network changes – SSL termination • Longer deployment cycles – App specific training/configuration – App changes might warrant re-training/configuration • Potential performance impact • Point of failure • Incorrect rule  blocks legit traffic  business impact
  21. 21. WAF bypass • Naïve pattern based filtering can be bypassed
  22. 22. RASP Runtime Application Self-Protection • Installs runtime agent within the application binary (runtime dependency) • Analyzes input, event flow and application behavior at runtime • Alerts or stops malicious execution
  23. 23. WAF vs RASP External Internal One for many apps One (agent) per app Technology* Independent Technology* Dependent *Programming language and runtime Images credit: (Photo by taoty, Sura Nualpradid)
  24. 24. Trends/Future • Browser side security – CSP – HSTS – Public Key-pinning (HPKP) – X-Frame-Options – X-XSS-Protection – X-Content-Type-Options – … • DAST – JavaScript Analysis (DOM XSS and more) – Blind vulnerability detection – REST APIs, mobile apps – HTML5, HTTP2 • Secure coding/development – Static code analysis with-in IDE – Secure libraries and frameworks – Lifecycle: Design + Dev + Test + Ops • SAST + DAST + WAF + RASP
  25. 25. ? Questions
  26. 26. Credits • Images: – Icons: – Images: