ABCs of Software Security SQL Injection Prevention Presented by: Colin Buckton Jose Kaharian David Klassen
Introduction● Colin Buckton ○ OWASP - Web Security Awareness Group ○ SQL Injection Vulnerability Description● David Klassen ○ Demonstrate SQL Injection and what is at risk ○ Show prevention of SQL Injection at the code level● Jose Kaharian ○ Business Research Concerning Security (BSIMM) ○ Secure coding is becoming a hiring priority
Colin Buckton● Easy Ways to Learn about Web App Security ○ OWASP - Web App Security Awareness Group ○ Web App Sec Tutorial Video Series on YouTube ○ Top Ten - Web Application Security Risks ○ Top Ten Item #1 - SQL Injection Vulnerability
Three Stages of Software Security Awareness1. Progress begetting vulnerability accepted as reality ○ "To make an omelette..."2. Onus fell on the consumer to protect themselves ○ Firewall, anti-malware, best-practices ○ Preventative measures cost companies money3. Producers must design securely ○ Build-in security ○ Preventative measures save money ○ Awareness is needed
OWASP - The Open Web Application Security Project● OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software● Purpose: Help everyone build more secure web applications and services● Founded December 1st, 2001● Provides information and training materials in an "open-source" model
OWASP WebAppSec Tutorial Series● OWASP provides a series of training videos● Goal is to make "top notch" security training accessible to the public● Making AppSec (Application Security) more visible● Licensed under Creative Commons so you can share freely
OWASP Top 10 Project● The Top 10 is a list of security risks to web applications as assessed by the OWASP Risk Rating Methodology.● The names of the risks in the Top 10 stem from the type of attack, the type of weakness, or the degree of impact they cause.
#1 Top 10 item - SQL Injection● Injection attacks are the top rated threat● How they work: ○ A section of code in your program is vulnerable ○ Attacker sends text that exploits the syntax ○ This creates an unintended query -> SELECT * FROM accounts WHERE custID= or 1=1; ○ Interpreter returns data on ALL accounts, and may even access special commands and take over!
#1 Top 10 item - SQL Injection● How to Prevent SQLi● OWASP makes suggestions on how to fix this ○ Use a specific Application Programming Interface (API) that can interpret user input safely. ■ Interface objects can reinterpret user input in a safe manner ○ "Escaping" the user input for the interpreter ■ e.g. " or 1=1 " ○ Use a whitelist of acceptable characters ■ e.g. Only allow alphanumerics for input ■ Not always feasible if some searches require those special characters
David Klassen● Demonstrate exploitation of Web App ○ Discuss compromise and worst facts about it ○ Talk about the tools used in detection ○ Show prevention of SQL Injection at the code level ○ Architectural things to think about
What SQLi is● Can leak data or cause server level penetration.● It exists in the Web Application itself● Really this exists because it was coded into the app● The wrong types of API/SQL calls are made● Application does not handle/encode corner cases well.
SQLi Demonstration● Lab21 that has been analyzed via. ZAP● sqlmap can be used to proof/exploit an SQLi● review database info enumerated via. SQLi● Fix the code● Point out why it is fixed● Show proof of the fix ■ https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet● Data model/architecture issues: ○ Never use sys/admin/root accounts ○ Application/Database user separation ○ Privilege separation for Admin features
Jose Kaharian● BSIMM - Business Research about Security ○ Numerous security breach issues/prevention ○ Businesses are busy cleaning up their process/code ○ A study is useful for reflection about what works ○ Secure coding is becoming a hiring priority
SQLi Basic Facts● Growing History of Actual Attacks ○ Sony PlayStation network ■ http://www.theregister.co. uk/2011/04/26/sony_playstation_network_security_breach/ ○ Dating Site Hacks ■ eHarmony/PlentyOfFish ○ Heartland Payment Systems and TJX retailer (Winners/Homesense) ■ http://www.securityfocus.com/news/11557● What is the result? ○ The finances and private lives of consumers are at stake. ○ Reduces consumer confidence in a company
How to reverse the trend?● What is BSIMM? ○ Building Security In Maturity Model. ○ A study of real-world software security initiatives ○ Designed to help companies understand, measure, and plan a software security initiative● What makes BSIMM so special? ○ Does not tell you what you should do; instead, it tells you what everyone else is actually doing. ○ This approach stands in sharp contrast to “faith-based” approaches to software security. ○ Can be used as a measuring stick, in comparison to other businesses. ○ Sharing data, can help other organizations tackle real problems.
BSIMM4 Study of 51 Companies● Businesses getting serious about Security:
Software Security Framework● Four business areas for change● Each with three basic security practices● Note: Code Review and Security Testing included
Important Business Goals● Convincing reasons for adopting security● Offers a wide view of potential business benefits● Compliance with PCI/PII/Privacy and Legal Regulations
Measure 111 Security Activities● Here is a breakdown of one of the twelve practices● Shows nine different possible activities● Not all activities will match a businesses needs
Businesses Can Participate● The BSIMM study is open to new participants● By joining the community a business can progress towards better consideration for security● Businesses who participate can also gain from the anonymous intelligence shared by other businesses● In general businesses seeking to broaden or strengthen their security stance will benefit from this data
Measure Software Security vs. Peers● Compare: Software Vendors vs. Financials
Security is becoming important● More and more companies are attempting to find ways to combat fraud (Amazon, Microsoft, Apple etc.): ○ Big Data solutions to analyze transactions ○ Grappling with Social Engineering of credentials ○ Prevent attacks on users via. your website flaws● By learning about security risks, and how to create better code, the value of your creations will go up.● Companies are looking for talent that is willing to embrace a risk savvy way of creating Apps.● Especially in financial, telecom, and traditional high value markets
Class ExerciseLab12a - Cross Site Scripting (XSS) Discovery: http://dbavedb.comeze.com/xss.htmhttps://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet