Css sf azure_8-9-17-protecting_web_apps_stephen coty_al

WEB APPLICATION SECURITY:
PROTECTING YOUR WEB
APPLICATION
Stephen Coty
Chief Security Evangelist, Alert Logic

Threats by Customer Environment
Source: Alert Logic 2015 Customer Data
48%
23%
21%
2%
6%
CLOUD ATTACKS
APPLICATION ATTACK
BRUTE FORCE
RECON
SUSPICIOUS ACTIVITY
TROJAN ACTIVITY
25%
47%
10%
11%
7%
Brick and Mortar ATTACKS
APPLICATION ATTACK
BRUTE FORCE
RECON
SUSPICIOUS ACTIVITY
TROJAN ACTIVITY

Web Application Security
sqli, 59%
openvas, 13%
apache_struts, 9%
joomlaua, 4%
pagerank, 2%
havij, 2%
magento_sqli, 2%
sqli_error, 2%
sqlmap, 1%
tor, 1%
sqli openvas apache_struts joomlaua pagerank havij magento_sqli sqli_error sqlmap tor
Source: Alert Logic CSR 2016

SQL Injection Last 60 Days - 060817

Vulnerabilities
+ Change
+ Shortage
Complexity of defending web applications and workloads
Risks are moving up the stack
1. Wide range of attacks at every
layer of the stack
2. Rapidly changing codebase can
introduce unknown vulnerabilities
3. Long tail of exposures inherited
from 3rd party development tools
4. Extreme shortage of cloud and
application security expertise
Web App
Attacks
OWASP
Top 10
Platform /
Library
Attacks
System /
Network
Attacks
Perimeter & end-point security tools
fail to protect cloud attack surface
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management

Web Application Security
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management

Web Application Vulnerability Example
CVE-1999-0278 – in IIS, remote attackers can obtain
source code for ASP files by appending “::$DATA” to the
URL
Patch MS98-003
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management

Hacker Recon Methods
Crawling Target Website
Mass Vulnerability Crawl
Open Forums
Dark Web
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management

Crawling Target Website
• Manual
- Browse the website as a normal user
- Gather email addresses, related domains and domain info
- Web application code language
o Revision
o Plug-ins
- Web server OS
- User input pages
- Directory structure
- Backend systems
• Software tools
- Find hidden forms, software version, js files, links and comments

Mass Vulnerability Crawl - Example
• Google Dorking – (aka Google hacking) Uses the search engine to find
difficult information using complex, detailed search queries
- Plug in search string to find vulnerable websites
- Some have preset search strings
- Search results are dynamic
- Timing is everything
o Target system could be patched
o Other hackers got there first

Open Forums - Example
• Vulnerability details
- Date reported
- Type of vulnerability
- Platform impacted
- Author (not shown)
- Verification (time permitting)
- Link to infected application (some)

Targeted - Dark Web
• Encrypted network
• Restricted access between Tor servers and clients
• Collection of DBs and communication channels
• Hidden from conventional search engines
• Shares some features with Open Forums
• Tor browser required
• More advanced resources and tools

Attack Methodology
• Attack of opportunity
- Hacker finds vulnerability within skillset
- Target system and organization irrelevant
• Targeted attack
- Specific to people or organization
- System resources
• Low cost of entry
- Open list of vulnerabilities
- Targets easy to find
- Hacker’s skill-set varies

Attacks of Opportunity
• Vulnerability Database Monitoring
• Block Network Vulnerability Scanning
• Google Dorking
• Shodan
• Application Vulnerability Scan

Targeted Attacks
• Scanning IP Internet Assets
• Application/Network Vulnerability Scan
• Careers Page
• Research Technologies
• Social Media Profiling
• Phishing Email
• Escalate Privileges
• Maintain Access
• Exfiltration of Data

FROM WEB APPS TO
PRIVILEGED ACCESS

From Web Apps to Privileged Access
• How hacking a web app can lead to system compromise
- Code analysis
o Review of code to reveal unintended system information
- System scanning
o Other software could have vulnerabilities
- Session Hijacking
o Exploiting a current, valid session
- Social Engineering
o Deception used to manipulate behavior

• Code analysis
- Account information
o Usernames and passwords
o Plain text or hashed
- Software tools
o Web search
o Scan to identify
• Usernames & passwords
o Brute force to crack encryption
o Throttle tools to avoid detection
o Offline may be an option

• Session Hijacking
- Obfuscated code
o Embedded in images
o Mouse-over techniques
- Proxy replay
- Malicious binary
- Session cookies
- Java script injection
- Cross-site scripting
- Routine system maintenance
- Bind shell

Secure Your Code
• Test inputs that are open to the Internet
• Add delays to your code to confuse bots
• Use encryption when you can
• Test libraries
• Scan plugins
• Scan your code after every update
• Limit privileges
• DevSecOps

Create Access Management Policies
• Identify data infrastructure that requires access
• Define roles and responsibilities
• Simplify access controls
• Key Management System (KMS)
• Continually audit access
• Start with a least privilege access model

Adopt a Patch Management Approach
• Constantly scan all production systems
• Compare reported vulnerabilities to production
infrastructure
• Classify the risk based on vulnerability and
likelihood
• Test patches before you release into production
• Setup a regular patching schedule
• Keep informed, follow bugtraqer
• Golden Images
• Reference Architecture, Formation Templates

Understand Your Service Providers Security Model
Azure Platform Services
Security &
Management
Azure Infrastructure Services
Web Apps
Mobile
Apps
API
Management
API
Apps
Logic
Apps
Notification
Hubs
Content Delivery
Network (CDN)
Media
Services
HDInsight Machine
Learning
Stream
Analytics
Data
Factory
Event
Hubs
Mobile
Engagement
Active
Directory
Multi-Factor
Authentication
Portal
Key Vault
Biztalk
Services
Hybrid
Connections
Service
Bus
Storage
Queues
Store /
Marketplace
Hybrid
Operations
Backup
StorSimple
Site
Recovery
Import/Export
SQL
Database
DocumentDB
Redis
Cache
Search
Tables
SQL Data
Warehouse
Azure AD
Connect Health
AD Privileged
Identity
Management
Operational
Insights
Cloud
Services
Batch Remote App
Service
Fabric Visual Studio
Application
Insights
Azure SDK
Team Project
VM Image Gallery
& VM Depot
Azure Security
Center
Automation

Security Management and Monitoring Strategy
• Monitoring for malicious activity
• Scanning Services
• Forensic investigations
• Compliance needs
• System performance
• All sources of log data is collected
• Data types (OS, CMS, DB, Web)
• WAF
• Correlation logic
• IAM behavior
• IDS Network traffic
• FIM Logs
• Focused security research
• Security content creation
• Review process
• Live monitoring

Follow our Research & Stay Informed on the Latest Vulnerabilities
Blog
https://www.alertlogtic.com/resources/blog
Newsletter
https://www.alertlogic.com/weekly-threat-report/
Cloud Security Report
https://www.alertlogic.com/resources/cloud-security-report/
Zero Day Magazine
https://www.alertlogic.com/zerodaymagazine/
Twitter
@AlertLogic @StephenCoty @_PaulFletcher
Websites to follow
• http://www.securityfocus.com
• http://www.exploit-db.com
• http://seclists.org/fulldisclosure/
• http://www.securitybloggersnetwork.com/
• http://cve.mitre.org/
• http://nvd.nist.gov/

How Alert Logic Detects Threats

Css sf azure_8-9-17-protecting_web_apps_stephen coty_al

More Related Content

What's hot

Similar to Css sf azure_8-9-17-protecting_web_apps_stephen coty_al

More from Alert Logic

Recently uploaded

Css sf azure_8-9-17-protecting_web_apps_stephen coty_al