Application Security

Application SecurityApplication Security
Reggie SantosReggie Santos
UP ITDCUP ITDC

OutlineOutline
Brief timeline on cyber attack historyBrief timeline on cyber attack history
DefinitionDefinition
Foundations of SecurityFoundations of Security
Definition of TermsDefinition of Terms
Threat ModelingThreat Modeling

OutlineOutline
Application Vulnerability CategoriesApplication Vulnerability Categories
Core Security PrinciplesCore Security Principles
Web Application SecurityWeb Application Security
Risks and Risk Mitigation/Control MeasuresRisks and Risk Mitigation/Control Measures
ReferencesReferences

The number of variants of malicious software aimed at mobile devicesThe number of variants of malicious software aimed at mobile devices
has reportedly risen from about 14,000 to 40,000 or about 185% in lesshas reportedly risen from about 14,000 to 40,000 or about 185% in less
than a year – Government Accountability Office (GAO), US (2012)than a year – Government Accountability Office (GAO), US (2012)

SecuritySecurity
Fundamentally about protecting assetsFundamentally about protecting assets
AssetsAssets
Tangible items such as a Web page or yourTangible items such as a Web page or your
customer databasecustomer database
Less tangible items such as the company’sLess tangible items such as the company’s
reputationreputation

SecuritySecurity
AA pathpath, not a destination, not a destination
As you analyze your infrastructure and applications,As you analyze your infrastructure and applications,
youyou identify potential threatsidentify potential threats and understand thatand understand that
each threat presents aeach threat presents a degree of riskdegree of risk
AboutAbout risk managementrisk management and implementingand implementing
effective countermeasureseffective countermeasures

AuthenticationAuthentication
Addresses the question:Addresses the question: “who are you?”“who are you?”
Process ofProcess of uniquely identifying the clientsuniquely identifying the clients of yourof your
applications and servicesapplications and services
Might be end-users, other services, processes, orMight be end-users, other services, processes, or
computerscomputers
Authenticated clients are referred to asAuthenticated clients are referred to as principalsprincipals

AuthorizationAuthorization
Addresses the question:Addresses the question: “what can you do?”“what can you do?”
Process that governs the resources and operationsProcess that governs the resources and operations
that the authenticated client isthat the authenticated client is permitted topermitted to
accessaccess

ResourcesResources include files, databases, tables, rows, and soinclude files, databases, tables, rows, and so
on, together with system-level resources such as registryon, together with system-level resources such as registry
keys and configuration datakeys and configuration data
OperationsOperations include performing transactions such asinclude performing transactions such as
purchasing a product, transferring money from onepurchasing a product, transferring money from one
account to another, or increasing a customer's creditaccount to another, or increasing a customer's credit
ratingrating

ConfidentialityConfidentiality
PrivacyPrivacy
Process of making sure that data remainsProcess of making sure that data remains privateprivate
andand confidentialconfidential, and that it cannot be viewed by, and that it cannot be viewed by
unauthorized users or eavesdroppers who monitorunauthorized users or eavesdroppers who monitor
the flow of traffic across a networkthe flow of traffic across a network

EncryptionEncryption is frequently used to enforceis frequently used to enforce
confidentialityconfidentiality
DES (Data Encryption Standard), RSA, HASH,DES (Data Encryption Standard), RSA, HASH,
MD5, AES (Advanced Encryption Standard), SHA-MD5, AES (Advanced Encryption Standard), SHA-
1, HMAC, Blowfish1, HMAC, Blowfish
Access control lists (Access control lists (ACLsACLs) are another means) are another means

IntegrityIntegrity
Guarantee that data isGuarantee that data is protectedprotected from accidentalfrom accidental
or deliberate (malicious) modificationor deliberate (malicious) modification
Integrity for data in transit is typically provided byIntegrity for data in transit is typically provided by
usingusing hashing techniqueshashing techniques andand messagemessage
authentication codesauthentication codes

AvailabilityAvailability
Systems remain available for legitimate usersSystems remain available for legitimate users

ThreatThreat
Any potential occurrence, malicious or otherwise,Any potential occurrence, malicious or otherwise,
thatthat could harm an assetcould harm an asset

VulnerabilityVulnerability
WeaknessWeakness that makes a threat possiblethat makes a threat possible
May be because of poor design, configurationMay be because of poor design, configuration
mistakes, or inappropriate and insecure codingmistakes, or inappropriate and insecure coding
techniquestechniques
e.g. lack of or improper input validatione.g. lack of or improper input validation

AttackAttack
Action thatAction that exploits a vulnerabilityexploits a vulnerability oror enacts aenacts a
threatthreat
e.g. sending malicious input to an applicatione.g. sending malicious input to an application
e.g. flooding a network in an attempt to denye.g. flooding a network in an attempt to deny
serviceservice

Recommended to form part of your application'sRecommended to form part of your application's
design phasedesign phase
Analyzes your application's architecture and designAnalyzes your application's architecture and design
andand identify potentially vulnerable areasidentify potentially vulnerable areas thatthat
may allow a user, perhaps mistakenly, or an attackermay allow a user, perhaps mistakenly, or an attacker
with malicious intent, to compromise your system'swith malicious intent, to compromise your system's
securitysecurity

Use of software, hardware, and procedural methodsUse of software, hardware, and procedural methods
toto protect applications from external threatsprotect applications from external threats

Application VulnerabilityApplication Vulnerability
CategoriesCategories
Input ValidationInput Validation
How your applicationHow your application filters, scrubs, or rejectsfilters, scrubs, or rejects
inputinput before additional processingbefore additional processing

"Who are you?""Who are you?"
Process where anProcess where an entity proves the identity ofentity proves the identity of
another entityanother entity, typically through credentials, such, typically through credentials, such
as a username and passwordas a username and password

"What can you do?""What can you do?"
How your applicationHow your application provides access controlsprovides access controls
for resources and operationsfor resources and operations

Configuration ManagementConfiguration Management
Who does your application run as?Who does your application run as?
Which databases does it connect to?Which databases does it connect to?

How is your application administered?How is your application administered?
How are these settings secured?How are these settings secured?
How your application handles these operationalHow your application handles these operational
issuesissues

Sensitive DataSensitive Data
How your applicationHow your application
handles any data thathandles any data that
must be protectedmust be protected
eithereither in memory,in memory,
over the wire, or inover the wire, or in
persistent storespersistent stores

Session ManagementSession Management
SessionSession
Series of related interactions between a user andSeries of related interactions between a user and
your web applicationyour web application
How your application handles and protects theseHow your application handles and protects these
interactionsinteractions

CryptographyCryptography
How are your keeping secrets, secret (How are your keeping secrets, secret (confidentialityconfidentiality)?)?
How are you tamperproofing your data or libraries (How are you tamperproofing your data or libraries (integrityintegrity)?)?
How are you providingHow are you providing seeds for random valuesseeds for random values that mustthat must
be cryptographically strong?be cryptographically strong?
How your application enforces confidentiality and integrityHow your application enforces confidentiality and integrity

Parameter ManipulationParameter Manipulation
Form fields, query string arguments,Form fields, query string arguments, andand
cookie valuescookie values are frequently used as parametersare frequently used as parameters
for your applicationfor your application
How your application safeguards tampering ofHow your application safeguards tampering of
these values and how your application processesthese values and how your application processes
input parametersinput parameters

Exception ManagementException Management
When a method call in your application fails, whatWhen a method call in your application fails, what
does your application do?does your application do?
How much do you reveal?How much do you reveal?

Do you return friendly error information to end-Do you return friendly error information to end-
users?users?
Do you pass valuable exception information back toDo you pass valuable exception information back to
the caller?the caller?
How does your application fail gracefully?How does your application fail gracefully?

Auditing and LoggingAuditing and Logging
““Who did what and when?”Who did what and when?”
How your application records security-relatedHow your application records security-related
eventsevents

CompartmentalizeCompartmentalize
Reduce the surface area of attackReduce the surface area of attack
Ask yourself how you will contain a problemAsk yourself how you will contain a problem
If an attacker takes over your application, whatIf an attacker takes over your application, what
resources can he or she access?resources can he or she access?
Can an attacker access network resources?Can an attacker access network resources?

How are you restricting potential damage?How are you restricting potential damage?
ExamplesExamples
FirewallsFirewalls
Least privileged accountsLeast privileged accounts
Least privileged codeLeast privileged code

Use least privilegeUse least privilege
By running processes usingBy running processes using accounts withaccounts with
minimal privileges and access rightminimal privileges and access rights, yous, you
significantly reduce the capabilities of an attacker ifsignificantly reduce the capabilities of an attacker if
the attacker manages to compromise security andthe attacker manages to compromise security and
run coderun code

Apply defense in depthApply defense in depth
UseUse multiple gatekeepersmultiple gatekeepers to keep attackers atto keep attackers at
baybay
Do not rely on aDo not rely on a singlesingle layer of securitylayer of security
Consider that one of your layers may beConsider that one of your layers may be bypassedbypassed
or compromisedor compromised

Do not trust user inputDo not trust user input
Your application's user input is theYour application's user input is the attacker'sattacker's
primary weaponprimary weapon when targeting your applicationwhen targeting your application
Assume all input is malicious until proven otherwiseAssume all input is malicious until proven otherwise

Check at the gateCheck at the gate
Authenticate and authorize callers early at the firstAuthenticate and authorize callers early at the first
gategate

Fail securelyFail securely
If an application fails, do not leave sensitive dataIf an application fails, do not leave sensitive data
accessibleaccessible
Return friendly errors to end-users that do not exposeReturn friendly errors to end-users that do not expose
internal system detailsinternal system details
Do not include details that may help an attackerDo not include details that may help an attacker
exploit vulnerabilities in your applicationexploit vulnerabilities in your application

Secure the weakest linkSecure the weakest link
Is there a vulnerability at the network layer that an attackerIs there a vulnerability at the network layer that an attacker
can exploit?can exploit?
What about the host?What about the host?
Is your application secure?Is your application secure?
Any weak link in the chain is an opportunity for breachedAny weak link in the chain is an opportunity for breached
securitysecurity

Create secure defaultsCreate secure defaults
Is the default account set up with the least privilege?Is the default account set up with the least privilege?
Is the default account disabled by default and then explicitlyIs the default account disabled by default and then explicitly
enabled when required?enabled when required?
Does the configuration use a password in plain text?Does the configuration use a password in plain text?
When an error occurs, does sensitive information leak back toWhen an error occurs, does sensitive information leak back to
the client to be used potentially against the system?the client to be used potentially against the system?

Reduce your attack surfaceReduce your attack surface
If you do not use it, remove it or disable itIf you do not use it, remove it or disable it
Reduce the surface area of attack by disabling orReduce the surface area of attack by disabling or
removing unused services, protocols, and functionalityremoving unused services, protocols, and functionality
Does your server need all those services and ports?Does your server need all those services and ports?
Does your application need all those features?Does your application need all those features?

Aims to identify:Aims to identify:
TheThe critical assetscritical assets of the organizationof the organization
Genuine usersGenuine users who may access the datawho may access the data
Level of accessLevel of access provided to each userprovided to each user

Aims to identify:Aims to identify:
VariousVarious vulnerabilitiesvulnerabilities that may exist in thethat may exist in the
applicationapplication
Data criticality and risk analysisData criticality and risk analysis on dataon data
exposureexposure
AppropriateAppropriate remediation measuresremediation measures

Controls/Risk MitigationControls/Risk Mitigation
MeasuresMeasures
Implement a Software Development Lifecycle (Implement a Software Development Lifecycle (SDLCSDLC))
AddAdd securitysecurity attributes to your SDLCattributes to your SDLC
Performing thePerforming the rightright activitiesactivities
QualifiedQualified personnelpersonnel

MeasuresMeasures
EnlistEnlist QAQA for basic application security holesfor basic application security holes
SSLSSL (Secure Sockets Layer)(Secure Sockets Layer)
App-specific PKIApp-specific PKI (Public Key Infrastructure)(Public Key Infrastructure)
Input sanitizationInput sanitization

MeasuresMeasures
StandardsStandards
CWECWE
Common Weakness EnumerationCommon Weakness Enumeration
http://cwe.mitre.orghttp://cwe.mitre.org
CADECCADEC
Common Attack Pattern Enumeration and ClassificationCommon Attack Pattern Enumeration and Classification
http://capec.mitre.orghttp://capec.mitre.org

MeasuresMeasures
Application Firewalls (e.g.Application Firewalls (e.g. WAFWAF))
Inspects all traffic flowing to the web application forInspects all traffic flowing to the web application for
common web application attackscommon web application attacks
Add your solution to your asset inventory andAdd your solution to your asset inventory and
configuration assessment tasksconfiguration assessment tasks

MeasuresMeasures
Against Cross-site Scripting Attacks (Against Cross-site Scripting Attacks (XSSXSS))
AgainstAgainst SQL injectionSQL injection attacksattacks
AgainstAgainst command injectioncommand injection attacksattacks
AgainstAgainst directory traversaldirectory traversal attacksattacks

MeasuresMeasures
Explicit error checkingExplicit error checking should be done for all inputshould be done for all input
Implement thoroughImplement thorough input validationinput validation

MeasuresMeasures
Whenever a variable is created in source code, the size andWhenever a variable is created in source code, the size and
type should be determinedtype should be determined
Guard againstGuard against overflowsoverflows
Buffer overflowsBuffer overflows
Integer overflowsInteger overflows
Perform the checks usingPerform the checks using code reviews,code reviews, andand static andstatic and
runtime analysisruntime analysis

MeasuresMeasures
When input is provided by the user, it should beWhen input is provided by the user, it should be
verified that it does not exceed the size or the dataverified that it does not exceed the size or the data
type of the memory location in which it is stored ortype of the memory location in which it is stored or
moved in the futuremoved in the future
Can be mitigated against through fCan be mitigated against through formalizedormalized
SDLC with good code-review and automatedSDLC with good code-review and automated
analysisanalysis

MeasuresMeasures
Test in-house-developed web applications forTest in-house-developed web applications for
common security weaknesses using automatedcommon security weaknesses using automated
remote web application scanners prior to deploymentremote web application scanners prior to deployment
ThroughThrough penetration testingpenetration testing

MeasuresMeasures
Test in-house-developed web applications forTest in-house-developed web applications for
common security weaknesses using automatedcommon security weaknesses using automated
remote web application scanners whenever updatesremote web application scanners whenever updates
are made to the applicationare made to the application
Regression testing for security issuesRegression testing for security issues

MeasuresMeasures
System error messages should not be displayed to end-usersSystem error messages should not be displayed to end-users
((output sanitizationoutput sanitization))
SimpleSimple data leakage mitigationdata leakage mitigation
Can be troublesome for your support groupCan be troublesome for your support group
If need be, create anIf need be, create an error code mappingerror code mapping from thefrom the
plaform/internals to something you can share with an end-plaform/internals to something you can share with an end-
user who will likely call support at some point anywayuser who will likely call support at some point anyway

MeasuresMeasures
Organizations should understand how theirOrganizations should understand how their
applications behave underapplications behave under denial of servicedenial of service
attacksattacks
Test your service for load and have an executableTest your service for load and have an executable
plan in place for when something goes wrongplan in place for when something goes wrong
Organizations should understand how theirOrganizations should understand how their
applications behave underapplications behave under resource exhaustionresource exhaustion
attacksattacks

MeasuresMeasures
MaintainMaintain separate environmentsseparate environments for production andfor production and
non-production systemsnon-production systems
Developers should not typically haveDevelopers should not typically have unmonitoredunmonitored
access to production environmentsaccess to production environments

MeasuresMeasures
Test in-house-developed/third-party web and otherTest in-house-developed/third-party web and other
application software forapplication software for coding errors andcoding errors and
malware insertionmalware insertion prior to deploymentprior to deployment

SummarySummary
Brief timeline on cyber attack historyBrief timeline on cyber attack history
DefinitionDefinition
AuditingAuditing

SummarySummary
IntegrityIntegrity
AvailabilityAvailability
ThreatThreat
VulnerabilityVulnerability
AttackAttack

SummarySummary
Input ValidationInput Validation
Sensitive DataSensitive Data

SummarySummary
Session ManagementSession Management
CryptographyCryptography
Parameter ManipulationParameter Manipulation
Auditing and LoggingAuditing and Logging
Use least privilegeUse least privilege

SummarySummary

SummarySummary
Risks and Risk Mitigation/Control MeasuresRisks and Risk Mitigation/Control Measures

Open Web Application Security Project (OWASP)Open Web Application Security Project (OWASP)
https://www.owasp.org/index.php/Main_Pagehttps://www.owasp.org/index.php/Main_Page
Web Application Security ConsortiumWeb Application Security Consortium
http://www.webappsec.org/http://www.webappsec.org/
Web Application SecurityWeb Application Security
http://www.techopedia.com/definition/24377/web-application-securityhttp://www.techopedia.com/definition/24377/web-application-security
Application Software SecurityApplication Software Security
http://www.tripwire.com/state-of-security/security-data-protection/20-critical-security-controls-control-6-application-sofhttp://www.tripwire.com/state-of-security/security-data-protection/20-critical-security-controls-control-6-application-sof
Improving Web Application Security: Threats and CountermeasuresImproving Web Application Security: Threats and Countermeasures
http://msdn.microsoft.com/en-us/library/ff648636.aspxhttp://msdn.microsoft.com/en-us/library/ff648636.aspx

10 Common Mobile Security Problems to Attack10 Common Mobile Security Problems to Attack
http://www.pcworld.com/article/2010278/10-common-mobile-security-problems-http://www.pcworld.com/article/2010278/10-common-mobile-security-problems-
11 Most Common Security Threats11 Most Common Security Threats
http://www.symantec-norton.com/11-most-common-computer-security-threats_khttp://www.symantec-norton.com/11-most-common-computer-security-threats_k
Cyber Attack TimelineCyber Attack Timeline
http://www.nato.int/docu/review/2013/Cyber/timeline/EN/index.htmhttp://www.nato.int/docu/review/2013/Cyber/timeline/EN/index.htm

A Potted History of the IT Industry: 25 Years of MilestonesA Potted History of the IT Industry: 25 Years of Milestones
http://www.computerworlduk.com/slideshow/it-business/3278948/a-potted-history-of-the-it-industry-2http://www.computerworlduk.com/slideshow/it-business/3278948/a-potted-history-of-the-it-industry-2
A Short History of Hacks, Worms and CyberterrorsA Short History of Hacks, Worms and Cyberterrors
http://www.computerworld.com/s/article/9131924/A_short_history_of_hacks_worms_and_cyberterrorhttp://www.computerworld.com/s/article/9131924/A_short_history_of_hacks_worms_and_cyberterror
Data Visualization of DDoS on TwitterData Visualization of DDoS on Twitter
http://datavisualization.ch/showcases/how-twitter-got-attacked-by-a-ddos/http://datavisualization.ch/showcases/how-twitter-got-attacked-by-a-ddos/
Russian Coder: I Hacked Georgia’s Sites in CyberwarRussian Coder: I Hacked Georgia’s Sites in Cyberwar
http://www.wired.com/2008/10/government-and/http://www.wired.com/2008/10/government-and/

Application Security

More Related Content

What's hot

Viewers also liked

Similar to Application Security

More from Reggie Niccolo Santos

Recently uploaded

Application Security