SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
1.
<ul><li>Session E2 </li></ul><ul><li>Secure SDLC for Software Assurance </li></ul><ul><li>Date: Monday, 19 April 2010 Time: 1:30pm - 3pm </li></ul><ul><li>Shreeraj Shah </li></ul><ul><li>Founder and Director, Blueinfy; Author, Web 2.0 Security and Web Hacking: Attacks and Defense </li></ul>
2.
Who Am I? <ul><li>Founder & Director </li></ul><ul><ul><li>Blueinfy Solutions Pvt. Ltd. (Brief) </li></ul></ul><ul><ul><li>SecurityExposure.com </li></ul></ul><ul><li>Past experience </li></ul><ul><ul><li>Net Square, Chase, IBM & Foundstone </li></ul></ul><ul><li>Interest </li></ul><ul><ul><li>Web security research </li></ul></ul><ul><li>Published research </li></ul><ul><ul><li>Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. </li></ul></ul><ul><ul><li>Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. </li></ul></ul><ul><ul><li>Advisories - .Net, Java servers etc. </li></ul></ul><ul><li>Books (Author) </li></ul><ul><ul><li>Web 2.0 Security – Defending Ajax, RIA and SOA </li></ul></ul><ul><ul><li>Hacking Web Services </li></ul></ul><ul><ul><li>Web Hacking </li></ul></ul>http://shreeraj.blogspot.com [email_address] http://www.blueinfy.com
9.
Root cause of Vulnerabilities CSI Security Survey : Vulnerability Distribution misconfiguration, other problems 36% programming errors 64% misconfiguration, other problems programming errors
10.
Source Code Issues <ul><li>1 Security defect per 10,000 lines </li></ul><ul><li>Reported </li></ul><ul><ul><li>30,000+ at CVE </li></ul></ul><ul><ul><li>6000+ at IBM X-Force </li></ul></ul><ul><li>70% developers are working on application coding </li></ul><ul><li>4 in top 5 vulnerabilities are on application layer </li></ul><ul><li>Expensive to fix them. </li></ul>
12.
Vulnerable State Expected State Exception Handler Decision Integer/ Number Special Characters A-Z Characters Input Potential Exploitation Enterprise level bugs
14.
Threats and Controls Source – Web Application Security Consortium
15.
CVE/CWE - Errors <ul><li>Insecure Interaction Between Components </li></ul><ul><ul><li>These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems. </li></ul></ul><ul><ul><li>CWE-20 : Improper Input Validation </li></ul></ul><ul><ul><li>CWE-116 : Improper Encoding or Escaping of Output </li></ul></ul><ul><ul><li>CWE-89 : Failure to Preserve SQL Query Structure (aka 'SQL Injection') </li></ul></ul><ul><ul><li>CWE-79 : Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') </li></ul></ul><ul><ul><li>CWE-78 : Failure to Preserve OS Command Structure (aka 'OS Command Injection') </li></ul></ul><ul><ul><li>CWE-319 : Cleartext Transmission of Sensitive Information </li></ul></ul><ul><ul><li>CWE-352 : Cross-Site Request Forgery (CSRF) </li></ul></ul><ul><ul><li>CWE-362 : Race Condition </li></ul></ul><ul><ul><li>CWE-209 : Error Message Information Leak </li></ul></ul>Source – CWE/CVE - http://cwe.mitre.org/top25/index.html
16.
CVE/CWE - Errors <ul><li>Risky Resource Management </li></ul><ul><ul><li>The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources. </li></ul></ul><ul><ul><li>CWE-119 : Failure to Constrain Operations within the Bounds of a Memory Buffer </li></ul></ul><ul><ul><li>CWE-642 : External Control of Critical State Data </li></ul></ul><ul><ul><li>CWE-73 : External Control of File Name or Path </li></ul></ul><ul><ul><li>CWE-426 : Untrusted Search Path </li></ul></ul><ul><ul><li>CWE-94 : Failure to Control Generation of Code (aka 'Code Injection') </li></ul></ul><ul><ul><li>CWE-494 : Download of Code Without Integrity Check </li></ul></ul><ul><ul><li>CWE-404 : Improper Resource Shutdown or Release </li></ul></ul><ul><ul><li>CWE-665 : Improper Initialization </li></ul></ul><ul><ul><li>CWE-682 : Incorrect Calculation </li></ul></ul>Source – CWE/CVE - http://cwe.mitre.org/top25/index.html
17.
CVE/CWE - Errors <ul><li>Porous Defenses </li></ul><ul><ul><li>The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored. </li></ul></ul><ul><ul><li>CWE-285 : Improper Access Control (Authorization) </li></ul></ul><ul><ul><li>CWE-327 : Use of a Broken or Risky Cryptographic Algorithm </li></ul></ul><ul><ul><li>CWE-259 : Hard-Coded Password </li></ul></ul><ul><ul><li>CWE-732 : Insecure Permission Assignment for Critical Resource </li></ul></ul><ul><ul><li>CWE-330 : Use of Insufficiently Random Values </li></ul></ul><ul><ul><li>CWE-250 : Execution with Unnecessary Privileges </li></ul></ul><ul><ul><li>CWE-602 : Client-Side Enforcement of Server-Side Security </li></ul></ul>Source – CWE/CVE - http://cwe.mitre.org/top25/index.html
20.
Enterprise SDLC 1. Analysis and Assessment 2. Design Specification 3. Software Development 4. Implementation 5. Support 6. Performance Monitoring
21.
Missing in SDLC <ul><li>SDLC is independent of security concerns </li></ul><ul><li>Analysis without security perspective </li></ul><ul><li>Vulnerabilities discovered after deployment and development </li></ul><ul><li>Hard and difficult to fix </li></ul><ul><li>Very costly to fix bugs </li></ul><ul><li>Industry is moving towards security aware SDLC </li></ul>
23.
SAMM <ul><li>Software Assurance Maturity model (SAMM) </li></ul><ul><ul><li>OWASP is running with new project </li></ul></ul><ul><ul><li>Defining maturity of security in the organization </li></ul></ul><ul><ul><li>Specific domain based and activity driven </li></ul></ul><ul><ul><li>It is new approach </li></ul></ul><ul><ul><li>Need to see industry’s adaptation to it </li></ul></ul><ul><ul><li>http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model </li></ul></ul>
24.
SAMM in nutshell <ul><li>Governance </li></ul><ul><ul><li>Strategy and Metrics </li></ul></ul><ul><ul><li>Policy and Compliance </li></ul></ul><ul><ul><li>Education and Guidance </li></ul></ul><ul><li>Construction </li></ul><ul><ul><li>Threat Assessment </li></ul></ul><ul><ul><li>Security Requirement </li></ul></ul><ul><ul><li>Secure Architecture </li></ul></ul><ul><li>Verification </li></ul><ul><ul><li>Design Review </li></ul></ul><ul><ul><li>Code Review </li></ul></ul><ul><ul><li>Security Testing </li></ul></ul><ul><li>Deployment </li></ul><ul><ul><li>Vulnerability Management </li></ul></ul><ul><ul><li>Environment Hardening </li></ul></ul><ul><ul><li>Operational Enablement </li></ul></ul>
26.
Methodology, Scan and Attacks Footprinting & Discovery Enumeration & Crawling Attacks and Scanning Config Scanning Web Firewall Secure Coding Assets Secure Assets Black White Defense Code Scanning
27.
Black vs. White Architecture Review Scoping Footprinting Discovery Enumeration & Profiling Security Controls & Cases Vulnerability Assessment Threat Modeling Mitigation strategies Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing. Architecture Review Scoping Threat Modeling Code Enumeration Security Controls & Cases Entry Point Discoveries Class, Function & Variable Tracing Code Mapping and Functionality Vulnerability Detection Mitigation Controls Reporting Black White
28.
White vs. Black <ul><li>Scope of coverage </li></ul><ul><ul><li>Blackbox method uses crawling and spidering to determine all possible resources </li></ul></ul><ul><ul><li>Application assets are residing in JavaScript and various other tags in HTML, it makes asset detection very difficult and blackbox approach fails in many cases. </li></ul></ul><ul><ul><li>If one is using whitebox approach then not a single line of code will get missed and scope can be covered at 100%. Whitebox can do much better job when comes to covering the scope of the source. </li></ul></ul>
29.
White vs. Black <ul><li>Discovery and Detection </li></ul><ul><ul><li>Blackbox testing uses signature analysis for vulnerability detection. Example, it looks for ODBC error for SQL injection and so on. </li></ul></ul><ul><ul><li>If errrors are missing … </li></ul></ul><ul><ul><li>Blackbox fails in those cases </li></ul></ul><ul><ul><li>Whitebox good to go </li></ul></ul>
30.
White vs. Black <ul><li>Accuracy of Vulnerability </li></ul><ul><ul><li>Accuracy of vulnerability is very important as well. </li></ul></ul><ul><ul><li>Blackbox is inaccurate in some cases </li></ul></ul><ul><ul><li>Came up false +/- </li></ul></ul>
31.
White vs. Black <ul><li>Cause Identification </li></ul><ul><ul><li>One of the major challenges is to identify actual cause of the vulnerability. </li></ul></ul><ul><ul><li>Blackbox shows symptoms </li></ul></ul><ul><ul><li>Whitebox can pin point the cause </li></ul></ul>
32.
Limitations <ul><li>Blackbox </li></ul><ul><ul><li>Vulnerabilities get missed </li></ul></ul><ul><ul><li>Not full coverage </li></ul></ul><ul><ul><li>Vuln found? But where is the source of it? </li></ul></ul><ul><ul><li>Developer’s question – where should I go and fix? – Location </li></ul></ul><ul><ul><li>WAF – easy to bypass </li></ul></ul><ul><ul><li>Missing rules </li></ul></ul><ul><ul><li>Too much to put on WAF, may not work … </li></ul></ul>
34.
Domain centric approach - MUSTs <ul><li>Authentication </li></ul><ul><li>Authorization </li></ul><ul><li>Error Handling </li></ul><ul><li>Input Validations </li></ul><ul><li>Data Validation </li></ul><ul><li>Crypto and Secret Handling </li></ul><ul><li>Business Logic Handling </li></ul><ul><li>Session and Identity Handling </li></ul><ul><li>Client Side Controls </li></ul><ul><li>Auditing and Logging </li></ul>
35.
Two components <ul><li>SDLC should have two important components from software security perspective </li></ul><ul><ul><li>Threat modeling </li></ul></ul><ul><ul><li>Source code analysis </li></ul></ul>
38.
QueryString POST name and value pairs XML/JSON etc. HTTP variables Cookie etc. File attachments uploads etc. Feeds and other party information Open APIs and integrated streams HTTP Response variables JSON/XML streams API - steams Entry Point Review
40.
Mapping Key Parameters Steps Input Output Identify Application objectives Business Requirements List of Key Objectives Overview of the Application Architecture <ul><li>Architecture diagrams </li></ul><ul><li>Functional specifications </li></ul><ul><li>List of Key Technologies </li></ul><ul><li>End to End Architecture implementation details </li></ul>In - depth Application Analysis: <ul><li>Data Flow diagrams </li></ul><ul><li>Technical specifications </li></ul><ul><li>Trust boundaries </li></ul><ul><li>Entry points </li></ul><ul><li>Exit points </li></ul><ul><li>Data flows </li></ul>Identify threats & vulnerabilities <ul><li>Well Known Threats/ Knowledge of the same from the Internet </li></ul><ul><li>Threat Trees </li></ul>Threat & Vulnerabilities list
41.
Static Code Analysis <ul><li>Static code analysis is very old technique to determine code quality. </li></ul><ul><li>Analyzing compiled and object code </li></ul><ul><li>All analysis we can do without actually executing the application can be called static code analysis. </li></ul><ul><li>Static application code analysis with security perspective is one of the most powerful tools for whitebox analysis. </li></ul><ul><li>In this case there is no object code available but applications are in clear text in source only. </li></ul>
43.
Application challenges <ul><li>Application entry points are scattered and multiple, number of entry points are coming over HTTP traffic and some times tricky to detect. </li></ul><ul><li>Web 2.0 applications are running with Web Services using protocols like SOAP, XML-RPC or REST. </li></ul><ul><li>Application layer tracing is also difficult and challenging since it is across multiple pages along with some intermediate framework code. </li></ul><ul><li>Source code analysis has different technologies and modules involved in the process and it makes very difficult. </li></ul><ul><li>One important aspect is client side coding and modules like Ajax, JavaScript, Flash and Silverlight. </li></ul><ul><li>Static code analysis needs some expertise in doing binary and object code analysis as well over application code. </li></ul>
50.
Object vs. Source <ul><li>Source code is in natural languages like C#, Java or PHP, while object code is lowered and optimized in intermediate or machine understandable languages. </li></ul><ul><li>Source code is easier to grasp and can help in identifying developer’s intent, logic and approach. </li></ul><ul><li>Object code just is not enough for security analysis, say for example we know there is simple vulnerability but we need to link to the actual source code line number. </li></ul><ul><li>Object code is easier to analyze as far as resolving perspective is concern. </li></ul><ul><li>Source code analysis needs powerful parser and it is very dependent on language to language. </li></ul><ul><li>Source code is actual code written by developers and full information is in it like comment or other intentions. </li></ul><ul><li>Also, for some one to share it is easier to ship object code compared to source code. (IP issues) </li></ul>
52.
Attack Surface <ul><li>Source Code is having probable attack surface </li></ul><ul><li>Attack surface is defined by entry points </li></ul><ul><li>Entry points are exploited by attackers </li></ul><ul><li>Attacker passes payload from these points and try to exploit the system </li></ul><ul><li>Attack surface determination and entry point identification are very critical </li></ul>
61.
Entry Points – Client Side <ul><li>HTTP response – All headers as well as HTML content </li></ul><ul><li>JavaScripts coming from server </li></ul><ul><li>Ajax/RIA calls consuming different structures which we have discussed like JSON, XML, JS-Object etc. </li></ul><ul><li>Callbacks – Modern days applications are using callback mechanism so data coming from browser can be injected into DOM using script functions. </li></ul><ul><li>Browser making API calls across domains </li></ul>
67.
Rules… <ul><li># Rules file for AppCodeScan </li></ul><ul><li># This file is specific for ASP/ASP.NET applications (Just a sample rules) - all regex patterns </li></ul><ul><li>#Scanning for Request Object Entry Points </li></ul><ul><li>.*.Request.* </li></ul><ul><li>#Scanning for ASP.NET app entry points </li></ul><ul><li>.*.<asp:FileUpload.*?> </li></ul><ul><li>.*.<asp:TextBox.*?> </li></ul><ul><li>.*.<asp:HiddenField.*?> </li></ul><ul><li>.*.<asp:Login.*?> </li></ul><ul><li>.*.<asp:PasswordRecovery.*?> </li></ul><ul><li>.*.<asp:ChangePassword.*?> </li></ul>
69.
PHP/Coldfusion <ul><li>PHP </li></ul><ul><ul><li>$_GET[“var”] </li></ul></ul><ul><ul><li>$_POST[“var”] </li></ul></ul><ul><ul><li>$_REQUEST[“var”] </li></ul></ul><ul><li>Coldfusion </li></ul><ul><ul><li>#URL.name# - Getting from querystring “name” </li></ul></ul><ul><ul><li>Similarly we can identify entry points for other aspects like POST or such by following list of key words </li></ul></ul><ul><ul><li>FORM/form </li></ul></ul><ul><ul><li>SERVER/server </li></ul></ul><ul><ul><li>CLIENT/client </li></ul></ul><ul><ul><li>SESSION/session </li></ul></ul>
70.
Web 2.0 <ul><li>Web Services and SOA entry points </li></ul>
71.
Making POST <ul><li>POST /ws/dvds4less.asmx HTTP/1.0 </li></ul><ul><li>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433) </li></ul><ul><li>Content-Type: text/xml; charset=utf-8 </li></ul><ul><li>SOAPAction: "http://tempuri.org/getProductInfo" </li></ul><ul><li>Host: 192.168.1.50 </li></ul><ul><li>Content-Length: 317 </li></ul><ul><li>Expect: 100-continue </li></ul><ul><li>Connection: Keep-Alive </li></ul><ul><li><?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><getProductInfo xmlns="http://tempuri.org/"><id>1</id></getProductInfo></soap:Body></soap:Envelope> </li></ul>
72.
Code for Web Services <ul><li><%@ WebService Language="c#" Class="dvds4less" %> </li></ul><ul><li><%@ Assembly name="Microsoft.Data.SqlXml" %> </li></ul><ul><li>using Microsoft.Data.SqlXml; </li></ul><ul><li>using System.Xml; </li></ul><ul><li>using System; </li></ul><ul><li>using System.Web.Services; </li></ul><ul><li>using System.Data.SqlClient; </li></ul><ul><li>using System.IO; </li></ul><ul><li>public class dvds4less </li></ul><ul><li>{ </li></ul><ul><li>[WebMethod] </li></ul><ul><li>public string Intro() </li></ul><ul><li>{ </li></ul><ul><li>return "DVDs4LESS - Information APIs for web application usage and other business usage"; </li></ul><ul><li>} </li></ul><ul><li>[WebMethod] </li></ul><ul><li>public string getProductInfo(string id) </li></ul><ul><li>{ </li></ul><ul><li>… . Code for this function </li></ul><ul><li>} </li></ul>
73.
JSON-RPC <ul><li><%@ WebHandler Class="JayrockWeb.DemoService" Language="C#" %> </li></ul><ul><li>namespace JayrockWeb </li></ul><ul><li>{ </li></ul><ul><li>using System; </li></ul><ul><li>using System.Configuration; </li></ul><ul><li>using System.Data; </li></ul><ul><li>using System.Data.SqlClient; </li></ul><ul><li>using System.Collections; </li></ul><ul><li>using System.Collections.Specialized; </li></ul><ul><li>using System.Web; </li></ul><ul><li>using System.Web.SessionState; </li></ul><ul><li>using System.Web.UI; </li></ul><ul><li>using System.Web.UI.WebControls; </li></ul><ul><li>using System.Drawing; </li></ul><ul><li>using Jayrock.Json; </li></ul><ul><li>using Jayrock.JsonRpc; </li></ul><ul><li>using Jayrock.JsonRpc.Web; </li></ul><ul><li>[ JsonRpcHelp("This is a JSON-RPC service that demonstrates the basic features of the Jayrock library.") ] </li></ul><ul><li>public class DemoService : JsonRpcHandler, IRequiresSessionState </li></ul><ul><li>{ </li></ul><ul><li>[JsonRpcMethod("getProduct", Idempotent = true)] </li></ul><ul><li>[ JsonRpcHelp("Returns Product Info") ] </li></ul><ul><li>public DataSet GetProductSet(string id) </li></ul><ul><li>{ </li></ul><ul><li>… . Code goes here… </li></ul><ul><li>} </li></ul>
76.
Tainted variables <ul><li>If variable or entry point is injected with payload then it can have significant impact </li></ul><ul><li>Impact analysis needs to be done </li></ul><ul><li>Impact is dependent on the hit points across application </li></ul><ul><li>Interesting for vulnerability scanning perspective </li></ul>
78.
Types - Impact <ul><li>Three important aspects of entry points and process towards end point, </li></ul><ul><ul><li>Data point – entry points are bringing simple new data to the application and based on that it is going to database or file system. </li></ul></ul><ul><ul><li>Logic point – It has information which get consumed in the business logic and it makes business decisions </li></ul></ul><ul><ul><li>Event points – Certain information coming from user can trigger an event inside the application. These are event points, like calling LDAP server or such. </li></ul></ul>