Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Application Security for the masses
1. 5 marzo 2011 – www.codemotion.it
There are only 10 types
of people in the world:
Those who understand binary,
and those who don't
(Who + What) && (Where + When) == Why
APPLICATION SECURITY
FOR THE MASSES
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
2. 5 marzo 2011 – www.codemotion.it
Running Normal
PROGRAM INTEGER DATA CHAR DATA POINTER
INSTRUCTIONS BUFFER BUFFER Which program line runs next
Program jumps to next address
Running Hacked Program jumps to overwritten address
PROGRAM INTEGER DATA CHAR DATA CORRUPTED
INSTRUCTIONS BUFFER INJECTED CODE Pointer execute injected code
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
3. 5 marzo 2011 – www.codemotion.it
The Onion Application Framework
DATI
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
4. 5 marzo 2011 – www.codemotion.it
To Code or not to Code
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
5. 5 marzo 2011 – www.codemotion.it
Utenti=UtOnti
In questo momento voi ha ricevuto il "virus albanese"
Siccome noi di Albania non ha esperienza di software e
programmazione, questo virus albanese funziona su principio
di fiducia e cooperazione.
Allora noi prega voi adesso cancella tutti i file di vostro
ard disc e spedisce questo virus a tutti amici di vostra
rubrica.
Grazie per fiducia e cooperazione.
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
6. 5 marzo 2011 – www.codemotion.it
Frodi informatiche in numeri
Frodi creditizie
sul web durante Costo di un’identità
il 2010 compromessa
Danno complessivo Danni causati dalle
derivante dalle truffe false identità
Denunce al Servizio della
Polizia Postale nel 2010
Fonte: CRIS per il Sole 24 Ore del novembre 2010
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
7. 5 marzo 2011 – www.codemotion.it
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
8. 5 marzo 2011 – www.codemotion.it
Il progetto OWASP
OWASP Top 10 – 2007 (Previous) OWASP Top 10 – 2010 (New)
A2 – Injection Flaws A1 - Injection
A1 – Cross Site Scripting (XSS) A2 – Cross-Site Scripting (XSS)
A7 – Broken Authentication and Session Management A3 - Broken Authentication and Session Management
A4 – Insecure Direct Object Reference A4 – Insecure Direct Object Reference
A5 – Cross Site Request Forgery (CSRF) A5 – Cross Site Request Forgery (CSRF)
<was T10 2004 A10 – Insecure Configuration Management> A6 – Security Misconfiguration (NEW)
A8 – Insecure Cryptographic Storage A7 – Insecure Cryptographic Storage
A10 – Failure to Restrict URL Access A8 – Failure to Restrict URL Access
A9 – Insecure Communications A9 – Insufficient Transport Layer Protection
<not in T10 2007> A10 – Unvalidated Redirects and Forwards (NEW)
A3 – Malicious File Execution <dropped from T10 2010>
A6 – Information Leakage and Improper Error Handling <dropped from T10 2010>
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
9. 5 marzo 2011 – www.codemotion.it
The way to Application Security
Files Databases
Applications
Development ICT Operations IT Security
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
10. 5 marzo 2011 – www.codemotion.it
Current Application Security market
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
11. 5 marzo 2011 – www.codemotion.it
-Enforcement Infrastructures
FAM DAM
DLP
Classificazione
Files Databases
IAM
Autenticazione
Applications Autorizzazione
Usage Policy
WAF Interne
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
12. 5 marzo 2011 – www.codemotion.it
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
13. 5 marzo 2011 – www.codemotion.it
Attacco a Poste Italiane
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
14. 5 marzo 2011 – www.codemotion.it
Cosa è andato storto?
http://unu1234567.baywords.com/2009/09/05/poste-italiane-hacked-sql-injection/
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
15. 5 marzo 2011 – www.codemotion.it
SQL Injection
OWASP A1 – Injection
Le Injection Flaws, come SQL Injection, OS Injection, e LDAP
injection, si verificano quando dati non validati vengono inviati
come parte di un comando o di una query al loro interprete. Il dato
infetto può quindi ingannare tale interprete, eseguendo comandi
non previsti o accedendo a dati per i quali non si ha
l’autorizzazione.
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
16. 5 marzo 2011 – www.codemotion.it
redirect del sito
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
17. 5 marzo 2011 – www.codemotion.it
Application Firewall
POST http://www.sito.it/vulnpage.php HTTP/1.1
username: test
password: x'; DROP TABLE users; -- Applications
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
18. 5 marzo 2011 – www.codemotion.it
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
19. 5 marzo 2011 – www.codemotion.it
Ricariche e Contatori elettrici
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
20. 5 marzo 2011 – www.codemotion.it
Cosa è andato storto?
ESME
29 00229 51
. Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong
address format for recipient(LH)
30 00237 51 1/2
. Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong
address format for recipient(LH)
UCP 31 00237 51 2/2
. Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong
address format for recipient(LH)
32 00237 51 1/3
. Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong
address format for recipient(LH)
33 00237 51 2/3
. Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong
address format for recipient(LH)
34 00237 51
. Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong
address format for recipient(LH)
35 00237 51 1/4
. Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong
address format for recipient(LH)
36 00237 51 2/4
. Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong
address format for recipient(LH)
37 00237 51 3/4
. Delivery Failure: .<<0x0A>>To:<<0x0A>>Reason:Wrong
address format for recipient(LH)
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
21. 5 marzo 2011 – www.codemotion.it
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
22. 5 marzo 2011 – www.codemotion.it
Il caso Wikileaks
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
23. 5 marzo 2011 – www.codemotion.it
Cosa è andato storto?
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
24. 5 marzo 2011 – www.codemotion.it
File Security & Monitoring
1 • Crawl File Systems 2 Build Data/Permission Map 3 Enforce Policies
• Find name, type, owner, permissions… Who Group What Class Who What Action
• Apply Classification Policies
• Owner, Org, Location Joe, Fin-CC Read Financials Non Update Block
IT cc.xls Finance Financials
• Automatic content classification
Jim, HR-Exec Read PII Any Read PII Audit
HR PII.doc
Joe, IT
NAS
X
Jim, HR FAM File Servers
OK
Audit Log
Who What When Action
Joe Read CC.xls 1/1/2010 12:50 Block
Jim Read PII.doc 1/1/2010 Audit
12:51
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
25. 5 marzo 2011 – www.codemotion.it
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
26. 5 marzo 2011 – www.codemotion.it
Into the Wireless World
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
27. 5 marzo 2011 – www.codemotion.it
Cosa è andato storto?
Application
DROP DATABASE cms;
CREATE TABLE contents (…);
CREATE TABLE news (…);
CREATE INDEX idx1;
...
../main/init/initdb.jsp
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
28. 5 marzo 2011 – www.codemotion.it
Database Security & Monitoring
Chi, Dove, Come e Quando
Chi Come Dove Cosa Quando
DAS URM DAM
Who Is? Sensitive? What Rights? When Used?
Is it dormant?
JOE Dept? CCTAB Credit JOE CCTAB JOE CCTAB
Card
update
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
29. 5 marzo 2011 – www.codemotion.it
La n
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.
30. 5 marzo 2011 – www.codemotion.it
Questions? ¿Preguntas?
English Spanish
вопросы?
Arabic Russian
Domande?
Ερωτήσεις? Italian
Greek Sindarin
tupoQghachmey
Klingon
Japanese
Except where otherwise noted, this work is licensed under
Page ‹N› http://creativecommons.org/licenses/by-nc-sa/3.0/ <Andrea Pompili > apompili@hotmail.com Xilogic Corp.