The document discusses the importance of conducting application security reviews to identify vulnerabilities. It outlines best practices for application security such as input validation, access controls, encryption, and ongoing patching and monitoring. The presentation notes that many applications are found to have significant security flaws and that securing both applications and infrastructure is needed for effective security.

1. Application Security Review Presented by Manoj Agarwal CEP on Dec 5, 09@IIA-India, Bombay Chapter

2. Agenda What is an Application Security Review Why Application Security Assessment Examples of Potential Vulnerabilities Q & A

3. Reviewing Application Confidentiality Confidential information must only be divulged as appropriate, and must be protected from unauthorized disclosure or interception. Confidentiality includes privacy considerations. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data etc. Integrity Information integrity refers to the state of data as being correct and complete. This specifically includes the reliability of financial processing and reporting. The integrity of data is not only whether the data is 'correct', but whether it can be trusted and relied upon Availability Information must be available to the business, its customers, and partners when, where, and in the manner needed. Availability includes the ability to recover from losses, disruption, or corruption of data and IT services, as well as from a major disaster where the information was located.

4. Motivation For Application Security Cost of recovery and lost productivity Loss of data Impact on consumer confidence Legal risks

5. Security Principles Confidentiality Integrity Authentication Authorization Availability Non-repudiation

6. Managing Risk Strategic Tactical Operational Legal

7. Assessment Criteria Definition of an application Scope of assessments High-risk Medium-risk Low-risk Types of Assessments Limited assessments Comprehensive assessments

8. Participants Security Policy Threat Modeling Corporate Security Application Review Team Operations IT Risk Assessment Audits Action on Audit Findings Action on Audit Findings Business Unit IT Groups

9. Application Security Process Framework Verify In Production Applications Design, Develop, Test, and Verify Secure Apps Educate IT Professionals Maintain and Publish Policies and Guidelines Respond to Security Exposure Incidents Apply Lessons Learned

10. Application Management – Secure Infrastructure NETWORK HOST APPLICATION ACCOUNT TRUST Architecture Transport Network device Access control list (ACL) permission settings Operating system Services Internet Information Services (IIS) Simple Mail Transfer Protocol (SMTP) File Transfer Protocol (FTP) NetBIOS/Remote procedure call (RPC) Terminal Services Microsoft SQL Server TM Input validation Clear text protocol Authentication Authorization Cryptography Auditing and logging Unused accounts Weak or blank passwords Shared accounts Access privileges Rogue trusts

11. Building Secure Networks – Configuration Network segmentation Firewalls Routers and switches

12. Building Secure Networks – Intrusion Detections Systems And Network Encryption Detection systems should monitor for Reconnaissance attacks Exploit attacks Denial of service attacks Network encryption Key tool in preventing sensitive data from being read Sensitive communication should be encrypted Industry-standard encryption methods: Secure Sockets Layer (SSL), secure shell program such as SSH, Internet Protocol Security (IPSec)

13. Building Secure Hosts For Applications Patch management Configuration Permissions Simple Network Management Protocol community strings Antivirus software Server auditing and logging Server backup and restore

14. Application Layer Requirements Input validation Session management Authentication and authorization Design and code review Application and server error handling Application auditing and logging Application backup and restore Private data encryption

15. Common Application Development Issues User input validation Cookies, authentication, and access Passwords Access control lists Auditing and logging

16. Lessons Learned If you wait until an application is already in production to make it secure, you are too late Good security practices take into account both the host and the application client Create clearly written and easily accessible security guideline documentation Create security checklists that include step-by-step instructions Develop a thoroughly considered policy exception tracking process Education is crucial to the success of a security program Processes and reporting are required to ensure that inventory information is maintained Security is an ongoing, always changing, concern

17. Lessons Learnt.. 70% of applications reviewed by security firms had significant security design flaws Interaction between server, 3rd party code, and custom business logic creates vulnerabilities Patching or rebuilding app expensive Perception exists that locking down OS and web server = web security Web-facing, business critical applications HTTP & SLL open to the world Much investment focused on infrastructure Well understood threats, mature products Firewalls, authentication, intrusion detection Security many times an overlooked facet of web development projects

18. Policies Applications should comply with application security policies and guidelines Applications should go through a security design review process Third-party application vendors should provide assurances that the software does not contain anything that could be used to compromise security controls Internet-facing applications should use existing methods of authentication Applications that reside on the corporate network should rely on Windows integrated authentication Applications that cannot use Windows integrated authentication should either encrypt or hash the password stores Credentials should never be stored or sent unencrypted User input should be filtered and examined at the Web server Web applications should use strong, nonpredictable session IDs Web applications should use an inactivity timeout Cookies that contain sensitive data should be marked as secure and nonpersistent

19. Examples…Parameter Tampering Price information is stored in hidden HTML field with assigned $ value Assumption: hidden field won’t be edited Attacker edits $ value of product in HTML Attacker submits altered web page with new “price” Still widespread in many web stores

20. Examples…Cookie Poisoning Attacker impersonates another user Identifies cookie values that ID’s the customer to the site Attacker notices patterns in cookie values Edits pattern to mimic another user

21. Un-validated Input Attack Exploitation of implied trust relations Instead of: [email_address] Attacker inputs: ////////////////////////////////////////////////// Exploits lack of boundary checkers on back-end application

23. Thank You