Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Creating Self Defending
Applications to Repel
Attackers
Michael Coates
@_mwc
• Chairman OWASP Board
• Shape Security: Director of Product Security
Background – 12 years of security adventures
• Built...
Billion Dollar Cybercrime
~US $350 Billion – Global Drug Trafficking Estimates
US $170 Billion – Apple Annual Revenue 2013...
Billion Dollar Cybercrime
~US $350 Billion – Global Drug Trafficking Estimates
US $170 Billion – Apple Annual Revenue 2013...
Cost of Security
• Cybercrime cost to companies
– 26% increase 2012 to 2013
• Cybercrime cost to individual
– 50% increase...
Largest Single Culprit : Hacking
Verizon Data Breach Report 20132013 Incidents by Breach Type
datalossdb.org
48% from Hack...
Opportunistic Scanners
• Scan web for common vulnerabilities
• Highly leverage automation
• Often untargeted
75% Attacks O...
Underground Market Prices
2013 Dell SecureWorks
USD
Visa, American Express, Discover $4-$8
Credit Card with track 1 and 2 ...
The Objective
• Protect the most critical data
• Handle known and unknown attacks
• Identify attackers before compromise
•...
Critical Data
Applications stored & allow access to critical data –
by design
Name
Email
Address
Credit Card
Bank Informat...
Gut Check
Current Defenses Are Failing
• Custom code
• unique vulnerabilities -> tailored patches
• Unrealistic defensive ...
Self Defending Applications
The Attacker
Attack Points:
Requests, Auth, Session
Attack Points:
Access Control
Attack Points:
Input Validation
Attack Points:
Business Logic
Self Defending Applications
In The Code
Attack Exposure
Defend with:
Detection Points
Detecting Attacks
• 50+ attack detection
points and growing
• Signature & Behavioral
• Many have nearly zero
false positiv...
Centralize Attack Detection
Knowledge
• Detection Points
Report to Central
Location
• AppSensor
Integrates w/User
Store
• ...
Detect & Eliminate Threat
• Strong control of
authenticated
portion
– Lockout user
– Disable account
• Effective attack
re...
App Defense Eliminates
Threats
App Defense Eliminates
Threats
Block attacker & minimize threat
Humans & Automation
• Detection Points – Human driven attacks
• Trend Analysis – Automated driven attacks
Human Driven
Automated
Attack Aware Resources
• Cross Talk Sept, 2011 - crosstalkonline.org
• Software Assurance - buildsecurityin.us-cert.gov/sw...
Alternatives?
• Self Defending
– in the app, full user object interaction, full app
knowledge
• Web Application Firewall (...
Self Defending Applications
In The Lifecycle & Organization
Threat Modeling
– Identify critical business functionality
– Capture abuse cases
– Define detection methods
Example
• Grant Permission Page site.com/UpdatePermission
– Inputs:
• targetUser - Integer
• grantPerm - Integer (1,2,3) (...
Abuse Cases
• Non-integer submitted for targetUser
• Invalid number submitted for grantPerm
• Force browsing to page from ...
Risk Analysis
• Tolerance for Fraud & Abuse
• Define Acceptable Response
– Alert Admins
– Logout / Lock Accounts
– Limit F...
Response Options
Timing & Flow
Attack
Detection
PointsCommon
Attack
Vectors Design
Requirement
s
Threat
Modeling
Unique
App Attack
Vectors
...
Organization Support
Who Action
Architects, Developers, Biz Owners,
Security SMEs
Threat Modeling, Determine Detection
Poi...
Self Defending Applications
Live Implementations
Common Event Format (CEF)
• Emerging standard
on logging format
• Easily parsed by
security integration
manager (sim)
• En...
SIM Deployment
Full Stack Knowledge
• Application Layer - Custom attack / abuse
notification
• Network Layer - IDS activity, firewall fai...
Data Analysis
Failed Captcha on
Create
User Account Created
User Authentication
Failed
Trend Analysis
Top Users Failing Auth within
Application
App Use Mapping
Operation
IP Address
Account
Auth Failed
New Account
Change Password
1 IP
Address, Multiple
Users
Auth Fail, New Account
acct1 - pw change
acct 2 - auth failed
Summary
Self Defending Applications:
• Detect Malicious Activity in Critical Apps
• Enable Immediate Response
• Prevent/Li...
AppSensor Project
• AppSensor: Version 2 of Book
• Sub-project: Preventing Automated Attacks
– owasp.org/index.php/OWASP_A...
Questions?
@_mwc
michael.coates@owasp.org
Upcoming SlideShare
Loading in …5
×

Self Defending Applications

8,492 views

Published on

Applications are constantly under attack. Unfortunately, nearly all applications have no capability of detecting an attacker or responding before a breach occurs. Those applications sit passively and allow the attacker to constantly unleash attack after attack. Let's change the game and equip our application with the resources to detect an attack with high accuracy and respond in real time to prevent a compromise by eliminating the threat from the system.

In this talk we'll cover the OWASP AppSensor project – a project that details how to instrument an application to become attack aware and immediately respond to neutralize threats.  This project is backed by multiple talented security experts that have been advancing the project for the past three years. AppSensor has been featured in the Department of Defense Cross Talk journal, presented at the US Department of Homeland Security resilient software conference and at security conferences around the world.

Published in: Technology
  • DOWNLOAD THAT BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book that can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer that is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money That the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths that Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (Unlimited) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... Download Full EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ACCESS WEBSITE for All Ebooks ......................................................................................................................... Download Full PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... Download EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... Download doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Self Defending Applications

  1. 1. Creating Self Defending Applications to Repel Attackers Michael Coates @_mwc
  2. 2. • Chairman OWASP Board • Shape Security: Director of Product Security Background – 12 years of security adventures • Built and lead security program protecting 450 million Firefox users & Mozilla systems • Secured code processing millions of dollars daily • Bypassed electronic voting systems • Defended fortune 100 global network • Infiltrated telco for mobile networks in Asia and Middle east • “Talked” my way into bank server rooms & to obtain user passwords @_mwc
  3. 3. Billion Dollar Cybercrime ~US $350 Billion – Global Drug Trafficking Estimates US $170 Billion – Apple Annual Revenue 2013 US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP) US $469 Billion – Walmart Annual Revenue 2013 US $95 Billion – Morocco 2012 Gross Domestic Product (GDP) US $112 Billion – Hewlett-Packard Annual Revenue 2013 US $104 Billion – Honda Annual Revenue 2012
  4. 4. Billion Dollar Cybercrime ~US $350 Billion – Global Drug Trafficking Estimates US $170 Billion – Apple Annual Revenue 2013 US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP) US $469 Billion – Walmart Annual Revenue 2013 US $95 Billion – Morocco 2012 Gross Domestic Product (GDP) US $112 Billion – Hewlett-Packard Annual Revenue 2013 US $104 Billion – Honda Annual Revenue 2012 US $113 Billion – Global price tag of consumer cybercrime
  5. 5. Cost of Security • Cybercrime cost to companies – 26% increase 2012 to 2013 • Cybercrime cost to individual – 50% increase 2012 to 2013 • Cost per breached record to company – Average US $136
  6. 6. Largest Single Culprit : Hacking Verizon Data Breach Report 20132013 Incidents by Breach Type datalossdb.org 48% from Hacking 52% involved Hacking
  7. 7. Opportunistic Scanners • Scan web for common vulnerabilities • Highly leverage automation • Often untargeted 75% Attacks Opportunistic Verizon Data Breach Report 2013
  8. 8. Underground Market Prices 2013 Dell SecureWorks USD Visa, American Express, Discover $4-$8 Credit Card with track 1 and 2 data $12 Full user information $25 1,000 Infected Computers $20 DDOS Attacks (per hour) $3-$5
  9. 9. The Objective • Protect the most critical data • Handle known and unknown attacks • Identify attackers before compromise • Automated – no humans needed
  10. 10. Critical Data Applications stored & allow access to critical data – by design Name Email Address Credit Card Bank Information Medical Information Purchase History Affiliations …
  11. 11. Gut Check Current Defenses Are Failing • Custom code • unique vulnerabilities -> tailored patches • Unrealistic defensive postures • Signatures only protect against last generic attack • Human required interaction is too slow • Valid signals are lost / ignored • Attackers constantly probe and attack applications without deterrence
  12. 12. Self Defending Applications The Attacker
  13. 13. Attack Points: Requests, Auth, Session
  14. 14. Attack Points: Access Control
  15. 15. Attack Points: Input Validation
  16. 16. Attack Points: Business Logic
  17. 17. Self Defending Applications In The Code
  18. 18. Attack Exposure
  19. 19. Defend with: Detection Points
  20. 20. Detecting Attacks • 50+ attack detection points and growing • Signature & Behavioral • Many have nearly zero false positive rate – Can’t be encountered accidentally by user – POST vs Get – ‘ OR ‘1’=‘1’ http://www.owasp.org/index.php/AppSensor_DetectionPoints
  21. 21. Centralize Attack Detection Knowledge • Detection Points Report to Central Location • AppSensor Integrates w/User Store • Enables Response Actions against User Object
  22. 22. Detect & Eliminate Threat • Strong control of authenticated portion – Lockout user – Disable account • Effective attack reporting for unauthenticated portion
  23. 23. App Defense Eliminates Threats
  24. 24. App Defense Eliminates Threats Block attacker & minimize threat
  25. 25. Humans & Automation • Detection Points – Human driven attacks • Trend Analysis – Automated driven attacks
  26. 26. Human Driven
  27. 27. Automated
  28. 28. Attack Aware Resources • Cross Talk Sept, 2011 - crosstalkonline.org • Software Assurance - buildsecurityin.us-cert.gov/swa/attackaware.html
  29. 29. Alternatives? • Self Defending – in the app, full user object interaction, full app knowledge • Web Application Firewall (stand alone) – generic attack detection • Log Analysis – slow, reactive, ineffective, ignored
  30. 30. Self Defending Applications In The Lifecycle & Organization
  31. 31. Threat Modeling – Identify critical business functionality – Capture abuse cases – Define detection methods
  32. 32. Example • Grant Permission Page site.com/UpdatePermission – Inputs: • targetUser - Integer • grantPerm - Integer (1,2,3) (Read, Write Delete) – Access Control Requirement: • Page Access: Power User • Functionality Access: Power User • Target User: Non-admin
  33. 33. Abuse Cases • Non-integer submitted for targetUser • Invalid number submitted for grantPerm • Force browsing to page from unauthorized account (HTTP GET) • Force submission to page from unauthorized account (HTTP Post) • Target user is admin account • Unexpected rate of use (100 perm changes in 10 seconds?)
  34. 34. Risk Analysis • Tolerance for Fraud & Abuse • Define Acceptable Response – Alert Admins – Logout / Lock Accounts – Limit Functionality
  35. 35. Response Options
  36. 36. Timing & Flow Attack Detection PointsCommon Attack Vectors Design Requirement s Threat Modeling Unique App Attack Vectors Risk Analysis Response Policy/Pla n Response Capabilitie s
  37. 37. Organization Support Who Action Architects, Developers, Biz Owners, Security SMEs Threat Modeling, Determine Detection Points Biz Owners, Architects, Security SMEs Determine Response Actions Architects, Security SMEs Design Response Architecture Operations Team, Security SMEs System Communication for Detection Logging & Response Developers, Security SMEs Implement Detection Point & Response Code Monitoring Team, Security SMEs Define monitoring thresholds, alerting/action requirements
  38. 38. Self Defending Applications Live Implementations
  39. 39. Common Event Format (CEF) • Emerging standard on logging format • Easily parsed by security integration manager (sim) • Enables AppSensor Logging CEF:0|Mozilla|MozFooApp|1.0 |ACE0|Access Control Violation|8|rt=01 31 2010 18:30:01 suser=janedoe suid=55 act=Action Denied src=1.2.3.4 dst=2.3.4.5 requestMethod=POST request=http://foo.mozilla.org/foo/abc.php?a=b cs1Label=requestClientApplication cs1=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2 msg=Additional Data here
  40. 40. SIM Deployment
  41. 41. Full Stack Knowledge • Application Layer - Custom attack / abuse notification • Network Layer - IDS activity, firewall failures • OS Layer - OS commands (AuditD), System event logs
  42. 42. Data Analysis Failed Captcha on Create User Account Created User Authentication Failed
  43. 43. Trend Analysis
  44. 44. Top Users Failing Auth within Application
  45. 45. App Use Mapping Operation IP Address Account
  46. 46. Auth Failed New Account Change Password
  47. 47. 1 IP Address, Multiple Users Auth Fail, New Account acct1 - pw change acct 2 - auth failed
  48. 48. Summary Self Defending Applications: • Detect Malicious Activity in Critical Apps • Enable Immediate Response • Prevent/Limit Compromise • Require Organization Support
  49. 49. AppSensor Project • AppSensor: Version 2 of Book • Sub-project: Preventing Automated Attacks – owasp.org/index.php/OWASP_AppSensor_Project/PAA – Evaluating current approaches, costs & efficacy • CAPTCHA, IP Blocking, Reputation, Human Analysis, etc • Join Us! – owasp.org/index.php/Category:OWASP_AppSensor_Project – owasp-appsensor-project@lists.owasp.org
  50. 50. Questions? @_mwc michael.coates@owasp.org

×